[exim-dev] [Bug 2111] New: malware ACL: scanner "sock" doesn…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 2111] New: malware ACL: scanner "sock" doesn't handle whitespace in command line format
https://bugs.exim.org/show_bug.cgi?id=2111

            Bug ID: 2111
           Summary: malware ACL: scanner "sock" doesn't handle whitespace
                    in command line format
           Product: Exim
           Version: 4.89
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: reed.meyer@???
                CC: exim-dev@???


Hi there :)

We wrote software that communicates with exim via a socket, using the generic
"sock" scanner. As stated in Chapter 44 of the exim documentation,

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html
,

the "sock" configuration takes four options, the second of which is "a
commandline to send (may include a single %s which will be replaced with the
path to the mail file to be scanned)", and which defaults to "%s\n". The
command line format is similar to C "printf"-style formatting, as is clear from
the exim source code.

Unfortunately, as we discovered in testing, whitespace characters can't be used
in this command line string. The relevant code is around line 1704 in
malware.c ( https://github.com/Exim/exim/blob/master/src/src/malware.c ). The
code calls string_nextinlist(), which is at lines 874-970 in string.c (
https://github.com/Exim/exim/blob/master/src/src/string.c ), to fetch the
command line string. Near the end of string_nextinlist(), whitespace
characters are stripped off the end of the string; note the call to isspace()
in line 962 of string.c:

       while (ptr > 0 && isspace(buffer[ptr-1])) ptr--;  .


This actually defeats the command line string that the exim documentation
considers the default, namely "%s\n"; the "\n" is stripped off and is therefore
never transmitted over the socket.

Furthermore, one cannot simply specify an empty command line string, and hope
that exim will replace it with the default, "%s\n", because of the behavior of
string_nextinlist(). When the input is an empty string, string_nextinlist()
returns US"", which is a non-null string; but the code in malware.c (line 1704)
only uses the default string "%s\n" when string_nextinlist() returns a null
string.

--
You are receiving this mail because:
You are on the CC list for the bug.