diff options
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 5 | ||||
-rw-r--r-- | src/src/readconf.c | 75 | ||||
-rw-r--r-- | test/confs/0903 | 1 | ||||
-rw-r--r-- | test/confs/0903./aaa | 1 | ||||
-rw-r--r-- | test/confs/0903./bbb | 0 | ||||
-rw-r--r-- | test/scripts/0000-Basic/0290 | 2 | ||||
-rw-r--r-- | test/scripts/0000-Basic/0903 | 2 | ||||
-rw-r--r-- | test/stdout/0903 | 7 |
8 files changed, 77 insertions, 16 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 835893d1b..02ffec9d1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4937,6 +4937,11 @@ Include processing happens after macro processing (see below). Its effect is to process the lines of the included file as if they occurred inline where the inclusion appears. +Relative names are allowed with &`.include`&, and are resolved +relative to the directory of the including file. For security reasons +this is not allowed with &`.include_if_exists`&. To avoid confusion, it +is strongly recommended to use absolute names only. + .section "Macros in the configuration file" "SECTmacrodefs" diff --git a/src/src/readconf.c b/src/src/readconf.c index 858496b6b..c5bd41d47 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -22,12 +22,15 @@ static void readconf_options_auths(void); #define CSTATE_STACK_SIZE 10 +const uschar *config_directory = NULL; + /* Structure for chain (stack) of .included files */ typedef struct config_file_item { struct config_file_item *next; const uschar *filename; + const uschar *directory; FILE *file; int lineno; } config_file_item; @@ -944,6 +947,7 @@ for (;;) (void)fclose(config_file); config_file = config_file_stack->file; config_filename = config_file_stack->filename; + config_directory = config_file_stack->directory; config_lineno = config_file_stack->lineno; config_file_stack = config_file_stack->next; if (config_lines) @@ -1166,9 +1170,19 @@ for (;;) } *t = 0; + /* We allow relative file names. For security reasons currently + relative names not allowed with .include_if_exists. For .include_if_exists + we need to check the permissions/ownership of the containing folder */ if (*ss != '/') - log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, ".include specifies a non-" - "absolute path \"%s\"", ss); + if (include_if_exists) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, ".include specifies a non-" + "absolute path \"%s\"", ss); + else + { + int offset = 0; + int size = 0; + ss = string_append(NULL, &size, &offset, 3, config_directory, "/", ss); + ss[offset] = '\0'; /* string_append() does not zero terminate the string! */ + } if (include_if_exists != 0 && (Ustat(ss, &statbuf) != 0)) continue; @@ -1179,6 +1193,7 @@ for (;;) config_file_stack = save; save->file = config_file; save->filename = config_filename; + save->directory = config_directory; save->lineno = config_lineno; if (!(config_file = Ufopen(ss, "rb"))) @@ -1186,6 +1201,7 @@ for (;;) "configuration file %s", ss); config_filename = string_copy(ss); + config_directory = string_copyn(ss, (const uschar*) strrchr(ss, '/') - ss); config_lineno = 0; continue; } @@ -3356,15 +3372,6 @@ while((filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) if (config_file != NULL || errno != ENOENT) break; } -/* Now, once we found and opened our configuration file, we change the directory -to a safe place. Later we change to $spool_directory. */ - -if (Uchdir("/") < 0) - { - perror("exim: chdir `/': "); - exit(EXIT_FAILURE); - } - /* On success, save the name for verification; config_filename is used when logging configuration errors (it changes for .included files) whereas config_main_filename is the name shown by -bP. Failure to open a configuration @@ -3372,12 +3379,41 @@ file is a serious disaster. */ if (config_file != NULL) { - uschar *p; + uschar *slash = Ustrrchr(filename, '/'); config_filename = config_main_filename = string_copy(filename); - p = Ustrrchr(filename, '/'); - config_main_directory = p ? string_copyn(filename, p - filename) - : string_copy(US"."); + /* the config_main_directory we need for the $config_dir expansion. + And config_dir is the directory of the current configuration, used for + relative .includes. We do need to know it's name, as we change our working + directory later. */ + + if (filename[0] == '/') + config_main_directory = slash > filename ? string_copyn(filename, slash - filename) : US"/"; + else + { + /* relative configuration file name: working dir + / + basename(filename) */ + + char buf[PATH_MAX]; + int offset = 0; + int size = 0; + const uschar *p = Ustrrchr(filename, '/'); + + if (getcwd(buf, PATH_MAX) == NULL) + { + perror("exim: getcwd"); + exit(EXIT_FAILURE); + } + config_main_directory = string_cat(NULL, &size, &offset, buf); + + /* If the dir does not end with a "/", append one */ + if (config_main_directory[offset-1] != '/') + string_cat(config_main_directory, &size, &offset, US"/"); + + /* If the config file contains a "/", extract the directory part */ + if (p) + string_catn(config_main_directory, &size, &offset, filename, p - filename); + } + config_directory = config_main_directory; } else { @@ -3389,6 +3425,15 @@ else "configuration file %s", filename)); } +/* Now, once we found and opened our configuration file, we change the directory +to a safe place. Later we change to $spool_directory. */ + +if (Uchdir("/") < 0) + { + perror("exim: chdir `/': "); + exit(EXIT_FAILURE); + } + /* Check the status of the file we have opened, if we have retained root privileges and the file isn't /dev/null (which *should* be 0666). */ diff --git a/test/confs/0903 b/test/confs/0903 new file mode 100644 index 000000000..017424e24 --- /dev/null +++ b/test/confs/0903 @@ -0,0 +1 @@ +.include confs/0903./aaa diff --git a/test/confs/0903./aaa b/test/confs/0903./aaa new file mode 100644 index 000000000..746f316bf --- /dev/null +++ b/test/confs/0903./aaa @@ -0,0 +1 @@ +.include bbb diff --git a/test/confs/0903./bbb b/test/confs/0903./bbb new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/confs/0903./bbb diff --git a/test/scripts/0000-Basic/0290 b/test/scripts/0000-Basic/0290 index f4b63aa8e..204fa1e1b 100644 --- a/test/scripts/0000-Basic/0290 +++ b/test/scripts/0000-Basic/0290 @@ -8,5 +8,5 @@ exim -DOPT -bP receive_timeout exim '-D OPT = receive_timeout = 4s ' -bP receive_timeout **** 1 -exim -DINC='.include non/absolute' -bP receive_timeout +exim -DINC='.include_if_exists non/absolute' -bP receive_timeout **** diff --git a/test/scripts/0000-Basic/0903 b/test/scripts/0000-Basic/0903 new file mode 100644 index 000000000..1bd510ae3 --- /dev/null +++ b/test/scripts/0000-Basic/0903 @@ -0,0 +1,2 @@ +# Test different variants of .includes +exim -bP config diff --git a/test/stdout/0903 b/test/stdout/0903 new file mode 100644 index 000000000..a7bda45dc --- /dev/null +++ b/test/stdout/0903 @@ -0,0 +1,7 @@ +# Exim Configuration (X) +# 1 "TESTSUITE/test-config" +# 1 "TESTSUITE/test-config" +# 1 "TESTSUITE/confs/0903./aaa" +# 1 "TESTSUITE/confs/0903./aaa" +# 1 "TESTSUITE/confs/0903./aaa" +# 1 "TESTSUITE/test-config" |