[exim-cvs] Dsearch: Fix taint-handling in lookup. Bug 2465

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Dsearch: Fix taint-handling in lookup. Bug 2465
Gitweb: https://git.exim.org/exim.git/commitdiff/218c95cc2e45de929d92c508bc9a95292c3a4ece
Commit:     218c95cc2e45de929d92c508bc9a95292c3a4ece
Parent:     f0fe22cbc29ee4f887aa254f2590a9e72401e237
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 7 17:32:49 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Nov 8 23:06:35 2019 +0000


    Dsearch: Fix taint-handling in lookup.  Bug 2465


    (cherry picked from commit 13e70f5530fc3fd376e1397c76e073a339e738aa)
---
 doc/doc-txt/ChangeLog     |  4 ++++
 src/src/lookups/dsearch.c | 13 ++++---------
 src/src/string.c          |  2 +-
 3 files changed, 9 insertions(+), 10 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f10e45c..e9a614c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -212,6 +212,10 @@ JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
       function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
       3.6.0, DH parameters are negotiated following RFC7919."


+JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
+      buffer was used for the filename, resulting in a trap when tainted
+      arguments (eg. $domain) were used.
+


Exim version 4.92
-----------------
diff --git a/src/src/lookups/dsearch.c b/src/src/lookups/dsearch.c
index 9f7dd8d..c27f5d6 100644
--- a/src/src/lookups/dsearch.c
+++ b/src/src/lookups/dsearch.c
@@ -65,13 +65,13 @@ return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups,
scanning the directory, as it is hopefully faster to let the OS do the scanning
for us. */

-int
-static dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
+static int
+dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
uschar **result, uschar **errmsg, uint *do_cache)
{
struct stat statbuf;
int save_errno;
-uschar filename[PATH_MAX];
+uschar * filename;

handle = handle; /* Keep picky compilers happy */
length = length;
@@ -84,12 +84,7 @@ if (Ustrchr(keystring, '/') != 0)
return DEFER;
}

-if (!string_format(filename, sizeof(filename), "%s/%s", dirname, keystring))
- {
- *errmsg = US"path name too long";
- return DEFER;
- }
-
+filename = string_sprintf("%s/%s", dirname, keystring);
if (Ulstat(filename, &statbuf) >= 0)
{
*result = string_copy(keystring);
diff --git a/src/src/string.c b/src/src/string.c
index ced1ad8..007ec87 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -664,7 +664,7 @@ return yield;
*************************************************/

/* The formatting is done by string_vformat, which checks the length of
-everything.
+everything. Taint is taken from the worst of the arguments.

 Arguments:
   format    a printf() format - deliberately char * rather than uschar *