From 218c95cc2e45de929d92c508bc9a95292c3a4ece Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 7 Nov 2019 17:32:49 +0000 Subject: Dsearch: Fix taint-handling in lookup. Bug 2465 (cherry picked from commit 13e70f5530fc3fd376e1397c76e073a339e738aa) --- doc/doc-txt/ChangeLog | 4 ++++ src/src/lookups/dsearch.c | 13 ++++--------- src/src/string.c | 2 +- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f10e45cee..e9a614c0a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -212,6 +212,10 @@ JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 3.6.0, DH parameters are negotiated following RFC7919." +JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted + buffer was used for the filename, resulting in a trap when tainted + arguments (eg. $domain) were used. + Exim version 4.92 ----------------- diff --git a/src/src/lookups/dsearch.c b/src/src/lookups/dsearch.c index 9f7dd8da0..c27f5d6e6 100644 --- a/src/src/lookups/dsearch.c +++ b/src/src/lookups/dsearch.c @@ -65,13 +65,13 @@ return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups, scanning the directory, as it is hopefully faster to let the OS do the scanning for us. */ -int -static dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length, +static int +dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length, uschar **result, uschar **errmsg, uint *do_cache) { struct stat statbuf; int save_errno; -uschar filename[PATH_MAX]; +uschar * filename; handle = handle; /* Keep picky compilers happy */ length = length; @@ -84,12 +84,7 @@ if (Ustrchr(keystring, '/') != 0) return DEFER; } -if (!string_format(filename, sizeof(filename), "%s/%s", dirname, keystring)) - { - *errmsg = US"path name too long"; - return DEFER; - } - +filename = string_sprintf("%s/%s", dirname, keystring); if (Ulstat(filename, &statbuf) >= 0) { *result = string_copy(keystring); diff --git a/src/src/string.c b/src/src/string.c index ced1ad8c7..007ec877e 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -664,7 +664,7 @@ return yield; *************************************************/ /* The formatting is done by string_vformat, which checks the length of -everything. +everything. Taint is taken from the worst of the arguments. Arguments: format a printf() format - deliberately char * rather than uschar * -- cgit v1.2.3