Gitweb:
https://git.exim.org/exim.git/commitdiff/481e63ca2bbd7b603e5bb84f6582ab4be5e3300d
Commit: 481e63ca2bbd7b603e5bb84f6582ab4be5e3300d
Parent: 79bc02a3499931de53f5e9ea74795d691b3a9569
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Jan 11 21:50:58 2020 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Jan 11 21:50:58 2020 +0000
autoreply transport: taint-enfoce options
---
doc/doc-txt/ChangeLog | 1 +
src/src/transports/autoreply.c | 50 ++++++++++++++++++++++++++++++++----------
test/confs/0243 | 2 +-
3 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 33381d5..368d37e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -90,6 +90,7 @@ JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
+ - the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
Previously this was permitted.
diff --git a/src/src/transports/autoreply.c b/src/src/transports/autoreply.c
index 68f8d1f..666591b 100644
--- a/src/src/transports/autoreply.c
+++ b/src/src/transports/autoreply.c
@@ -156,7 +156,7 @@ checkexpand(uschar *s, address_item *addr, uschar *name, int type)
{
uschar *ss = expand_string(s);
-if (ss == NULL)
+if (!ss)
{
addr->transport_return = FAIL;
addr->message = string_sprintf("Expansion of \"%s\" failed in %s transport: "
@@ -307,7 +307,7 @@ from that block. It has typically been set up by a mail filter processing
router. Otherwise, the data must be supplied by this transport, and
it has to be expanded here. */
-if (addr->reply != NULL)
+if (addr->reply)
{
DEBUG(D_transport) debug_printf("taking data from address\n");
from = addr->reply->from;
@@ -418,18 +418,27 @@ recipient, the effect might not be quite as envisaged. If once_file_size is
set, instead of a dbm file, we use a regular file containing a circular buffer
recipient cache. */
-if (oncelog && *oncelog != 0 && to)
+if (oncelog && *oncelog && to)
{
time_t then = 0;
+ if (is_tainted(oncelog))
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (once file for %s transport)"
+ " not permitted", oncelog, tblock->name);
+ goto END_OFF;
+ }
+
/* Handle fixed-size cache file. */
if (ob->once_file_size > 0)
{
uschar * nextp;
struct stat statbuf;
- cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);
+ cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);
if (cache_fd < 0 || fstat(cache_fd, &statbuf) != 0)
{
addr->transport_return = DEFER;
@@ -523,6 +532,15 @@ if (oncelog && *oncelog != 0 && to)
if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
{
int log_fd;
+ if (is_tainted(logfile))
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)"
+ " not permitted", logfile, tblock->name);
+ goto END_OFF;
+ }
+
DEBUG(D_transport) debug_printf("message previously sent to %s%s\n", to,
(once_repeat_sec > 0)? " and repeat time not reached" : "");
log_fd = logfile ? Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode) : -1;
@@ -544,14 +562,24 @@ if (oncelog && *oncelog != 0 && to)
}
/* We are going to send a message. Ensure any requested file is available. */
-
-if (file && !(ff = Ufopen(file, "rb")) && !ob->file_optional)
+if (file)
{
- addr->transport_return = DEFER;
- addr->basic_errno = errno;
- addr->message = string_sprintf("Failed to open file %s when sending "
- "message from %s transport: %s", file, tblock->name, strerror(errno));
- return FALSE;
+ if (is_tainted(file))
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (file for %s transport)"
+ " not permitted", file, tblock->name);
+ return FALSE;
+ }
+ if (!(ff = Ufopen(file, "rb")) && !ob->file_optional)
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("Failed to open file %s when sending "
+ "message from %s transport: %s", file, tblock->name, strerror(errno));
+ return FALSE;
+ }
}
/* Make a subprocess to send the message */
diff --git a/test/confs/0243 b/test/confs/0243
index 5a2f501..d5e989c 100644
--- a/test/confs/0243
+++ b/test/confs/0243
@@ -71,7 +71,7 @@ address_pipe:
stuur_auto_antwoord:
driver = autoreply
- file = DIR/aux-fixed/TESTNUM.antwoord-${local_part}
+ file = DIR/aux-fixed/TESTNUM.antwoord-${bless:$local_part}
file_expand
from = "${lookup{$local_part} lsearch \
{DIR/aux-fixed/TESTNUM.beantwoorders} {$value}}"