Gitweb:
https://git.exim.org/exim.git/commitdiff/85defcf0e9e4187107b8a1a5138ef9590ac3892c
Commit: 85defcf0e9e4187107b8a1a5138ef9590ac3892c
Parent: 97e939dfe2ea44a6e243ff6f489790ccd94f39ee
Author: Phil Pennock <pdp@???>
AuthorDate: Tue May 15 19:04:34 2018 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Tue May 15 19:04:34 2018 -0400
Don't open spool data-files which are symlinks
---
doc/doc-txt/ChangeLog | 3 +++
src/src/spool_in.c | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d9b7780..d99b268 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -29,6 +29,9 @@ JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
add more error-checking on spoolfile handling while that code is being
messed with.
+PP/01 Refuse to open a spool data file (*-D) if it's a symlink.
+ No known attacks, no CVE, this is defensive hardening.
+
Exim version 4.91
-----------------
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 33890c5..cd74d1e 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -57,10 +57,18 @@ for (i = 0; i < 2; i++)
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
+ /* We protect against symlink attacks both in not propagating the
+ * file-descriptor to other processes as we exec, and also ensuring that we
+ * don't even open symlinks.
+ * No -D file inside the spool area should be a symlink.
+ */
if ((fd = Uopen(fname,
#ifdef O_CLOEXEC
O_CLOEXEC |
#endif
+#ifdef O_NOFOLLOW
+ O_NOFOLLOW |
+#endif
O_RDWR | O_APPEND, 0)) >= 0)
break;
save_errno = errno;
