[exim-cvs] Dsearch: Fix taint-handling in lookup. Bug 2465

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Exim Git Commits Mailing List at ->
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Dsearch: Fix taint-handling in lookup. Bug 2465
Gitweb: https://git.exim.org/exim.git/commitdiff/13e70f5530fc3fd376e1397c76e073a339e738aa
Commit:     13e70f5530fc3fd376e1397c76e073a339e738aa
Parent:     c895de68398ece932fb371f527e24ce233f6ac7b
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 7 17:32:49 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Nov 7 17:32:49 2019 +0000


    Dsearch: Fix taint-handling in lookup.  Bug 2465
---
 doc/doc-txt/ChangeLog     |  4 ++++
 src/src/lookups/dsearch.c | 13 ++++---------
 src/src/string.c          |  2 +-
 3 files changed, 9 insertions(+), 10 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9be52ce..ac7f335 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,10 @@ JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected.  Previously we
       carried on and emitted a BDAT command, even when PIPELINING was not
       active.


+JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
+      buffer was used for the filename, resulting in a trap when tainted
+      arguments (eg. $domain) were used.
+


Exim version 4.92
-----------------
diff --git a/src/src/lookups/dsearch.c b/src/src/lookups/dsearch.c
index 9f7dd8d..c27f5d6 100644
--- a/src/src/lookups/dsearch.c
+++ b/src/src/lookups/dsearch.c
@@ -65,13 +65,13 @@ return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups,
scanning the directory, as it is hopefully faster to let the OS do the scanning
for us. */

-int
-static dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
+static int
+dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
uschar **result, uschar **errmsg, uint *do_cache)
{
struct stat statbuf;
int save_errno;
-uschar filename[PATH_MAX];
+uschar * filename;

handle = handle; /* Keep picky compilers happy */
length = length;
@@ -84,12 +84,7 @@ if (Ustrchr(keystring, '/') != 0)
return DEFER;
}

-if (!string_format(filename, sizeof(filename), "%s/%s", dirname, keystring))
- {
- *errmsg = US"path name too long";
- return DEFER;
- }
-
+filename = string_sprintf("%s/%s", dirname, keystring);
if (Ulstat(filename, &statbuf) >= 0)
{
*result = string_copy(keystring);
diff --git a/src/src/string.c b/src/src/string.c
index ced1ad8..007ec87 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -664,7 +664,7 @@ return yield;
*************************************************/

/* The formatting is done by string_vformat, which checks the length of
-everything.
+everything. Taint is taken from the worst of the arguments. 

 Arguments:
   format    a printf() format - deliberately char * rather than uschar *


This message was posted to the following mailing lists:
exim-cvs
Mailing List Info | Nearby Messages		<-[exim-cvs] Testsuite: DKIM/transport_filter testcase[exim-cvs] Revert "preallocate store for config", which appears to have been a mis-merge. Bug 2464->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)