[exim-cvs] Relax rules on verb use in QUIT/not-QUIT ACLs. Bu…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Relax rules on verb use in QUIT/not-QUIT ACLs. Bug 608
Gitweb: http://git.exim.org/exim.git/commitdiff/82c0c8ea2f3fe5524740c4b46bd9dc907b9d555d
Commit:     82c0c8ea2f3fe5524740c4b46bd9dc907b9d555d
Parent:     ac9a0d9193d7d7ccd27aa8ebf31eb484182c3db4
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Feb 21 23:51:57 2015 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Feb 22 00:01:35 2015 +0000


    Relax rules on verb use in QUIT/not-QUIT ACLs.  Bug 608
---
 doc/doc-docbook/spec.xfpt |    4 ++--
 doc/doc-txt/ChangeLog     |    5 ++++-
 src/src/acl.c             |   21 ++++++++++++---------
 test/confs/0502           |    6 ++++++
 test/log/0502             |    2 +-
 test/paniclog/0502        |    2 +-
 test/stderr/0502          |    2 +-
 test/stdout/0502          |    2 +-
 8 files changed, 28 insertions(+), 16 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index af000dc..a647066 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27105,8 +27105,8 @@ the feature was not requested by the client.
.cindex "QUIT, ACL for"
The ACL for the SMTP QUIT command is anomalous, in that the outcome of the ACL
does not affect the response code to QUIT, which is always 221. Thus, the ACL
-does not in fact control any access. For this reason, the only verbs that are
-permitted are &%accept%& and &%warn%&.
+does not in fact control any access. For this reason, it may only accept
+or warn as its final result.

 This ACL can be used for tasks such as custom logging at the end of an SMTP
 session. For example, you can use ACL variables in other ACLs to count
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c9e3573..b027a66 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -70,11 +70,14 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can
 JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
       option values. 


-JH/20 BUG 1571: Ensure that $tls_in_peerdn is set, when verification fails
+JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
       under OpenSSL.


JH/21 Support for the A6 type of dns record is withdrawn.

+JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
+      rather than the verbs used.
+



 Exim version 4.85
diff --git a/src/src/acl.c b/src/src/acl.c
index 18119ec..ea078f6 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -4077,19 +4077,12 @@ while (acl != NULL)
   int cond;
   int basic_errno = 0;
   BOOL endpass_seen = FALSE;
+  BOOL acl_quit_check = level == 0
+    && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);


*log_msgptr = *user_msgptr = NULL;
acl_temp_details = FALSE;

-  if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
-      acl->verb != ACL_ACCEPT &&
-      acl->verb != ACL_WARN)
-    {
-    *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
-      verbs[acl->verb]);
-    return ERROR;
-    }
-
   HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);


   /* Clear out any search error message from a previous check before testing
@@ -4170,6 +4163,7 @@ while (acl != NULL)
     if (cond == OK)
       {
       HDEBUG(D_acl) debug_printf("end of %s: DEFER\n", acl_name);
+      if (acl_quit_check) goto badquit;
       acl_temp_details = TRUE;
       return DEFER;
       }
@@ -4179,6 +4173,7 @@ while (acl != NULL)
     if (cond == OK)
       {
       HDEBUG(D_acl) debug_printf("end of %s: DENY\n", acl_name);
+      if (acl_quit_check) goto badquit;
       return FAIL;
       }
     break;
@@ -4187,6 +4182,7 @@ while (acl != NULL)
     if (cond == OK || cond == DISCARD)
       {
       HDEBUG(D_acl) debug_printf("end of %s: DISCARD\n", acl_name);
+      if (acl_quit_check) goto badquit;
       return DISCARD;
       }
     if (endpass_seen)
@@ -4200,6 +4196,7 @@ while (acl != NULL)
     if (cond == OK)
       {
       HDEBUG(D_acl) debug_printf("end of %s: DROP\n", acl_name);
+      if (acl_quit_check) goto badquit;
       return FAIL_DROP;
       }
     break;
@@ -4208,6 +4205,7 @@ while (acl != NULL)
     if (cond != OK)
       {
       HDEBUG(D_acl) debug_printf("end of %s: not OK\n", acl_name);
+      if (acl_quit_check) goto badquit;
       return cond;
       }
     break;
@@ -4238,6 +4236,11 @@ while (acl != NULL)


 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
 return FAIL;
+
+badquit:
+  *log_msgptr = string_sprintf("QUIT or not-QUIT teplevel ACL may not fail "
+    "('%s' verb used incorrectly)", verbs[acl->verb]);
+  return ERROR;
 }



diff --git a/test/confs/0502 b/test/confs/0502
index aab2ada..cf3ceb7 100644
--- a/test/confs/0502
+++ b/test/confs/0502
@@ -33,11 +33,17 @@ check_mail:
warn set acl_c1 = ${eval:$acl_c1+1}
accept

+q_sub:
+  deny
+
 check_quit:
   warn     logwrite = Messages received: $acl_c1
            logwrite = Messages accepted: $acl_c0
            logwrite = Recipients:        $acl_c2
            logwrite = Accepted:          $acl_c3
+
+  require  !acl = q_sub
+
   LAST


 check_rcpt:
diff --git a/test/log/0502 b/test/log/0502
index d55bd6e..37d82e4 100644
--- a/test/log/0502
+++ b/test/log/0502
@@ -8,7 +8,7 @@
 1999-03-02 09:44:33 Messages accepted: 
 1999-03-02 09:44:33 Recipients:        
 1999-03-02 09:44:33 Accepted:          
-1999-03-02 09:44:33 ACL for QUIT returned ERROR: "deny" is not allowed in a QUIT or not-QUIT ACL
+1999-03-02 09:44:33 ACL for QUIT returned ERROR: QUIT or not-QUIT teplevel ACL may not fail ('deny' verb used incorrectly)
 1999-03-02 09:44:33 Messages received: 1
 1999-03-02 09:44:33 Messages accepted: 
 1999-03-02 09:44:33 Recipients:        
diff --git a/test/paniclog/0502 b/test/paniclog/0502
index 8ab24fb..71afc02 100644
--- a/test/paniclog/0502
+++ b/test/paniclog/0502
@@ -1 +1 @@
-1999-03-02 09:44:33 ACL for QUIT returned ERROR: "deny" is not allowed in a QUIT or not-QUIT ACL
+1999-03-02 09:44:33 ACL for QUIT returned ERROR: QUIT or not-QUIT teplevel ACL may not fail ('deny' verb used incorrectly)
diff --git a/test/stderr/0502 b/test/stderr/0502
index 8ab24fb..71afc02 100644
--- a/test/stderr/0502
+++ b/test/stderr/0502
@@ -1 +1 @@
-1999-03-02 09:44:33 ACL for QUIT returned ERROR: "deny" is not allowed in a QUIT or not-QUIT ACL
+1999-03-02 09:44:33 ACL for QUIT returned ERROR: QUIT or not-QUIT teplevel ACL may not fail ('deny' verb used incorrectly)
diff --git a/test/stdout/0502 b/test/stdout/0502
index 4b307e8..a0fbe6b 100644
--- a/test/stdout/0502
+++ b/test/stdout/0502
@@ -15,7 +15,7 @@
 250 OK id=10HmaY-0005vi-00
 221 Your message here
 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
-221 myhost.test.ex closing connection
+221 Your message here
 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
 250 OK
 221 myhost.test.ex closing connection