[exim-cvs] DKIM: ensure that dkim_domain elements are lowerc…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] DKIM: ensure that dkim_domain elements are lowercased before use. Bug 2371
Gitweb: https://git.exim.org/exim.git/commitdiff/fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19
Commit:     fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19
Parent:     7ab90dd415eac327c57c5ba755b2005a8c0b946f
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Feb 5 23:19:00 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Feb 11 00:17:22 2019 +0000


    DKIM: ensure that dkim_domain elements are lowercased before use.  Bug 2371


    (cherry picked from commit f3c73adaa541ae54092467a29668ac32894ef1dc)
---
 doc/doc-docbook/spec.xfpt | 16 ++++++++++++++--
 doc/doc-txt/ChangeLog     |  2 ++
 src/src/dkim.c            |  1 +
 3 files changed, 17 insertions(+), 2 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 08a0a97..415c727 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39534,7 +39534,7 @@ senders).
.cindex "DKIM" "signing"

For signing to be usable you must have published a DKIM record in DNS.
-Note that RFC 8301 says:
+Note that RFC 8301 (which does not cover EC keys) says:
.code
rsa-sha1 MUST NOT be used for signing or verifying.

@@ -39554,7 +39554,11 @@ These options take (expandable) strings as arguments.
.option dkim_domain smtp string list&!! unset
The domain(s) you want to sign with.
After expansion, this can be a list.
-Each element in turn is put into the &%$dkim_domain%& expansion variable
+Each element in turn,
+.new
+lowercased,
+.wen
+is put into the &%$dkim_domain%& expansion variable
while expanding the remaining signing options.
If it is empty after expansion, DKIM signing is not done,
and no error will result even if &%dkim_strict%& is set.
@@ -39755,6 +39759,14 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers
If a domain or identity is listed several times in the (expanded) value of
&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.

+.new
+Note that if the option is set using untrustworthy data
+(such as the From: header)
+care should be taken to force lowercase for domains
+and for the domain part if identities.
+The default setting can be regarded as trustworthy in this respect.
+.wen
+
If multiple signatures match a domain (or identity), the ACL is called once
for each matching signature.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index bc739ae..9313c7b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -20,6 +20,8 @@ JH/03 Debug output for ACL now gives the config file name and line number for

JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.

+JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
+

Exim version 4.92
-----------------
diff --git a/src/src/dkim.c b/src/src/dkim.c
index a0becd4..96d7eba 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -620,6 +620,7 @@ if (dkim_domain)
/* Only sign once for each domain, no matter how often it
appears in the expanded list. */

+  dkim_signing_domain = string_copylc(dkim_signing_domain);
   if (match_isinlist(dkim_signing_domain, CUSS &seen_doms,
       0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK)
     continue;