Gitweb:
https://git.exim.org/exim.git/commitdiff/218c95cc2e45de929d92c508bc9a95292c3a4ece
Commit: 218c95cc2e45de929d92c508bc9a95292c3a4ece
Parent: f0fe22cbc29ee4f887aa254f2590a9e72401e237
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 7 17:32:49 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Fri Nov 8 23:06:35 2019 +0000
Dsearch: Fix taint-handling in lookup. Bug 2465
(cherry picked from commit 13e70f5530fc3fd376e1397c76e073a339e738aa)
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/lookups/dsearch.c | 13 ++++---------
src/src/string.c | 2 +-
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f10e45c..e9a614c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -212,6 +212,10 @@ JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
+JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
+ buffer was used for the filename, resulting in a trap when tainted
+ arguments (eg. $domain) were used.
+
Exim version 4.92
-----------------
diff --git a/src/src/lookups/dsearch.c b/src/src/lookups/dsearch.c
index 9f7dd8d..c27f5d6 100644
--- a/src/src/lookups/dsearch.c
+++ b/src/src/lookups/dsearch.c
@@ -65,13 +65,13 @@ return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups,
scanning the directory, as it is hopefully faster to let the OS do the scanning
for us. */
-int
-static dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
+static int
+dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
uschar **result, uschar **errmsg, uint *do_cache)
{
struct stat statbuf;
int save_errno;
-uschar filename[PATH_MAX];
+uschar * filename;
handle = handle; /* Keep picky compilers happy */
length = length;
@@ -84,12 +84,7 @@ if (Ustrchr(keystring, '/') != 0)
return DEFER;
}
-if (!string_format(filename, sizeof(filename), "%s/%s", dirname, keystring))
- {
- *errmsg = US"path name too long";
- return DEFER;
- }
-
+filename = string_sprintf("%s/%s", dirname, keystring);
if (Ulstat(filename, &statbuf) >= 0)
{
*result = string_copy(keystring);
diff --git a/src/src/string.c b/src/src/string.c
index ced1ad8..007ec87 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -664,7 +664,7 @@ return yield;
*************************************************/
/* The formatting is done by string_vformat, which checks the length of
-everything.
+everything. Taint is taken from the worst of the arguments.
Arguments:
format a printf() format - deliberately char * rather than uschar *
