From 7bdf04110b214bd964cd1b99894c42d089f40851 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 30 Apr 2022 23:57:33 +0100 Subject: Taint: generate detainted $domain_data & $local_part_data from Rverify callout --- doc/doc-docbook/spec.xfpt | 9 +++++++++ doc/doc-txt/NewStuff | 3 +++ src/src/verify.c | 21 +++++++++++++++++++++ test/scripts/0000-Basic/0473 | 9 +++++++++ test/stdout/0473 | 9 +++++++++ 5 files changed, 51 insertions(+) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ef8fc6836..b6fd9e10f 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -33620,6 +33620,15 @@ output before performing a callout in an ACL, to avoid unexpected timeouts in clients when the SMTP PIPELINING extension is in use. The flushing can be disabled by using a &%control%& modifier to set &%no_callout_flush%&. +.new +.cindex "tainted data" "de-tainting" +.cindex "de-tainting" "using receipient verify" +A recipient callout which gets a 2&'xx'& code +will assign untainted values to the +&$domain_data$& and &$local_part_data$& variables, +corresponding to the domain and local parts of the recipient address. +.wen + diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 11004e33a..2986b2cdd 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -27,6 +27,9 @@ Version 4.96 the expansion of the "true" result of the ${if}. With a static list, this can be used for de-tainting. + 8. Recipient verify callouts now set $domain_data & $local_part_data, with + de-tainted values. + Version 4.95 ------------ diff --git a/src/src/verify.c b/src/src/verify.c index 82fae89c1..b4c2b9a8f 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -445,6 +445,21 @@ return done; } + + +/* A rcpt callout, or cached record of one, verified the address. +Set $domain_data and $local_part_data to detainted versions. +*/ +static void +callout_verified_rcpt(const address_item * addr) +{ +address_item a = {.address = addr->address}; +if (deliver_split_address(&a) != OK) return; +deliver_localpart_data = string_copy_taint(a.local_part, GET_UNTAINTED); +deliver_domain_data = string_copy_taint(a.domain, GET_UNTAINTED); +} + + /************************************************* * Do callout verification for an address * *************************************************/ @@ -1952,6 +1967,12 @@ while (addr_new) #ifndef DISABLE_TLS deliver_set_expansions(NULL); #endif + if ( options & vopt_is_recipient + && rc == OK + /* set to "random", with OK, for an accepted random */ + && !recipient_verify_failure + ) + callout_verified_rcpt(addr); } } else if (local_verify) diff --git a/test/scripts/0000-Basic/0473 b/test/scripts/0000-Basic/0473 index df613c4b7..4392c7e33 100644 --- a/test/scripts/0000-Basic/0473 +++ b/test/scripts/0000-Basic/0473 @@ -94,6 +94,7 @@ RCPT TO QUIT 250 OK **** +# A rcpt refusal exim -bs ehlo xxxx mail from: @@ -143,6 +144,7 @@ RCPT TO QUIT 250 OK **** +# an accepted random exim -DUSE_SENDER=,defer_ok,random,use_postmaster -bs ehlo xxxx mail from: x11@two.test.ex @@ -150,6 +152,13 @@ rcpt to: r11@two.test.ex quit **** dump callout +# repeat from cache +exim -DUSE_SENDER=,defer_ok,random,use_postmaster -bs +ehlo xxxx +mail from: x11@two.test.ex +rcpt to: r11@two.test.ex +quit +**** # # callout target dumps after random-reject server PORT_S 2 diff --git a/test/stdout/0473 b/test/stdout/0473 index eda29bd92..7ac03f12a 100644 --- a/test/stdout/0473 +++ b/test/stdout/0473 @@ -110,6 +110,15 @@ 250 OK 250 Accepted 221 the.local.host.name closing connection +220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-the.local.host.name Hello CALLER at xxxx +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250 HELP +250 OK +250 Accepted +221 the.local.host.name closing connection +++++++++++++++++++++++++++ 07-Mar-2000 12:21:52 other.ex callout=accept postmaster=unknown random=unknown 07-Mar-2000 12:21:52 r12@three.test.ex callout=accept -- cgit v1.2.3