ph10 2005/03/22 14:50:10 GMT
Modified files:
exim-doc/doc-txt ChangeLog
exim-src/src deliver.c
exim-test-orig/AutoTest/stderr 458
Added files:
exim-test-orig/AutoTest/confs 605
exim-test-orig/AutoTest/log 605
exim-test-orig/AutoTest/mail 605.ph10
exim-test-orig/AutoTest/scripts 605
Log:
Attempt to flatten LDAP passwords in address' error messages (after
expansion failure) so they don't get published.
Revision Changes Path
1.95 +5 -0 exim/exim-doc/doc-txt/ChangeLog
1.9 +20 -2 exim/exim-src/src/deliver.c
1.1 +39 -0 exim/exim-test-orig/AutoTest/confs/605 (new)
1.1 +7 -0 exim/exim-test-orig/AutoTest/log/605 (new)
1.1 +32 -0 exim/exim-test-orig/AutoTest/mail/605.ph10 (new)
1.1 +3 -0 exim/exim-test-orig/AutoTest/scripts/605 (new)
1.3 +1 -1 exim/exim-test-orig/AutoTest/stderr/458
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -r1.94 -r1.95
--- ChangeLog 22 Mar 2005 14:11:54 -0000 1.94
+++ ChangeLog 22 Mar 2005 14:50:10 -0000 1.95
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.94 2005/03/22 14:11:54 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.95 2005/03/22 14:50:10 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -60,6 +60,11 @@
PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an
"unknown" error; now it says that the functionality isn't in the binary.
+
+PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in
+ an address' error message when a string expansion fails (syntax or
+ whatever). Otherwise not only does the password appear in the log, it may
+ also be put in a bounce message.
A note about Exim versions 4.44 and 4.50
Index: deliver.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/deliver.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- deliver.c 15 Mar 2005 12:27:54 -0000 1.8
+++ deliver.c 22 Mar 2005 14:50:10 -0000 1.9
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/deliver.c,v 1.8 2005/03/15 12:27:54 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/deliver.c,v 1.9 2005/03/22 14:50:10 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -729,9 +729,27 @@
/* If there's an error message set, ensure that it contains only printing
characters - it should, but occasionally things slip in and this at least
-stops the log format from getting wrecked. */
-
-if (addr->message != NULL) addr->message = string_printing(addr->message);
+stops the log format from getting wrecked. We also scan the message for an LDAP
+expansion item that has a password setting, and flatten the password. This is a
+fudge, but I don't know a cleaner way of doing this. (If the item is badly
+malformed, it won't ever have gone near LDAP.) */
+
+if (addr->message != NULL)
+ {
+ addr->message = string_printing(addr->message);
+ if (Ustrstr(addr->message, "failed to expand") != NULL &&
+ (Ustrstr(addr->message, "ldap:") != NULL ||
+ Ustrstr(addr->message, "ldapdn:") != NULL ||
+ Ustrstr(addr->message, "ldapm:") != NULL))
+ {
+ uschar *p = Ustrstr(addr->message, "pass=");
+ if (p != NULL)
+ {
+ p += 5;
+ while (*p != 0 && !isspace(*p)) *p++ = 'x';
+ }
+ }
+ }
/* If we used a transport that has one of the "return_output" options set, and
if it did in fact generate some output, then for return_output we treat the
Index: 605
====================================================================
# Exim test configuration 605
# Macros are set externally in order to get the path
# of the Exim that is being tested, and the directory
# in which the test data lives.
exim_path = EXIM_PATH
primary_hostname = myhost.test.ex
spool_directory = DIR/spool
# ----- Main settings -----
# ----- Routers -----
begin routers
r0:
driver = accept
senders = :
transport = t1
r1:
driver = redirect
data = ${lookup ldap user="cn=xxx,o=yyy,c=UK" pass="secret" \
ldap:///o=zzz,c=UK,?sn?sub?(cn=foo)}}
# ----- Transports -----
begin transports
t1:
driver = appendfile
file = DIR/test-mail/$local_part
user = CALLER
# End
Index: 605
====================================================================
1999-03-02 09:44:33 10HmaX-0005vi-00 <= ph10@??? U=ph10 P=local S=267
1999-03-02 09:44:33 10HmaX-0005vi-00 == ph10@??? R=r1 defer (-1): failed to expand "${lookup ldap user="cn=xxx,o=yyy,c=UK" pass=xxxxxxxx ldap:///o=zzz,c=UK,?sn?sub?(cn=foo)}}": missing or misplaced { or }
1999-03-02 09:44:33 10HmaX-0005vi-00 ** ph10@???: retry timeout exceeded
1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=exim P=local S=1218
1999-03-02 09:44:33 10HmaY-0005vi-00 => ph10 <ph10@???> R=r0 T=t1
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
Index: 605.ph10
====================================================================
From MAILER-DAEMON Tue Mar 02 09:44:33 1999
Received: from exim by myhost.test.ex with local (Exim x.yz)
id 10HmaY-0005vi-00
for ph10@???; Tue, 2 Mar 1999 09:44:33 +0000
X-Failed-Recipients: ph10@???
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon@???>
To: ph10@???
Subject: Mail delivery failed: returning message to sender
Message-Id: <E10HmaY-0005vi-00@???>
Date: Tue, 2 Mar 1999 09:44:33 +0000
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
ph10@???
failed to expand "${lookup ldap user="cn=xxx,o=yyy,c=UK" pass=xxxxxxxx ldap:///o=zzz,c=UK,?sn?sub?(cn=foo)}}":
missing or misplaced { or }: retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
Return-path: <ph10@???>
Received: from ph10 by myhost.test.ex with local (Exim x.yz)
id 10HmaX-0005vi-00
for ph10@???; Tue, 2 Mar 1999 09:44:33 +0000
Message-Id: <E10HmaX-0005vi-00@???>
From: Philip Hazel <ph10@???>
Date: Tue, 2 Mar 1999 09:44:33 +0000
Index: 605
====================================================================
0 hide LDAP password in bounce message after expansion failure
exim -odi ph10
****
Index: 458
===================================================================
RCS file: /home/cvs/exim/exim-test-orig/AutoTest/stderr/458,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- 458 15 Oct 2004 13:38:05 -0000 1.2
+++ 458 22 Mar 2005 14:50:10 -0000 1.3
@@ -92,7 +92,7 @@
waiting for writing process
end of filtering transport writing: yield=0
errno=-24 more_errno=127
-appendfile yields 9 with errno=-24 more_errno=127
+appendfile yields 10 with errno=-24 more_errno=127
t1 transport returned PANIC for ph10@???
LOG: MAIN PANIC
== ph10@??? R=r1 T=t1 defer (-24): transport filter process failed (127) while writing to /source/exim4/AutoTest/test-mail/ph10: unable to execute command
