From a9ac2d7fc219e41a353abf1f599258b9b9d21b7e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 7 Jul 2021 22:19:07 +0100 Subject: Fix tainted message for fakereject --- doc/doc-txt/ChangeLog | 4 ++++ src/src/acl.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index cc589c567..dc9d9d8cc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -320,6 +320,10 @@ JH/56 Make the majority of info read from config files readonly, for defence-in- depth against exploits. Suggestion by Qualsy. Not supported on Solaris 10. +JH/57 Fix control=fakreject for a custom message containing tainted data. + Previously this resulted in a log complaint, due to a re-expansion present + since fakereject was originally introduced. + Exim version 4.94 ----------------- diff --git a/src/src/acl.c b/src/src/acl.c index 1bf118764..89947f405 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -3235,13 +3235,15 @@ for (; cb; cb = cb->next) case CONTROL_FAKEREJECT: cancel_cutthrough_connection(TRUE, US"fakereject"); - case CONTROL_FAKEDEFER: + case CONTROL_FAKEDEFER: fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL; if (*p == '/') { const uschar *pp = p + 1; while (*pp) pp++; - fake_response_text = expand_string(string_copyn(p+1, pp-p-1)); + /* The entire control= line was expanded at top so no need to expand + the part after the / */ + fake_response_text = string_copyn(p+1, pp-p-1); p = pp; } else /* Explicitly reset to default string */ -- cgit v1.2.3