diff options
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | src/src/spool_in.c | 8 |
2 files changed, 11 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d9b77804b..d99b2684a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -29,6 +29,9 @@ JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage add more error-checking on spoolfile handling while that code is being messed with. +PP/01 Refuse to open a spool data file (*-D) if it's a symlink. + No known attacks, no CVE, this is defensive hardening. + Exim version 4.91 ----------------- diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 33890c516..cd74d1ee7 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -57,10 +57,18 @@ for (i = 0; i < 2; i++) fname = spool_fname(US"input", message_subdir, id, US"-D"); DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname); + /* We protect against symlink attacks both in not propagating the + * file-descriptor to other processes as we exec, and also ensuring that we + * don't even open symlinks. + * No -D file inside the spool area should be a symlink. + */ if ((fd = Uopen(fname, #ifdef O_CLOEXEC O_CLOEXEC | #endif +#ifdef O_NOFOLLOW + O_NOFOLLOW | +#endif O_RDWR | O_APPEND, 0)) >= 0) break; save_errno = errno; |