[exim-cvs] Make {bounce,warn}_message_file expanded. Bug 25…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Make {bounce,warn}_message_file expanded. Bug 2522
Gitweb: https://git.exim.org/exim.git/commitdiff/40bffa31bd7057a0e88e29bb76fa63382d4aa1bc
Commit:     40bffa31bd7057a0e88e29bb76fa63382d4aa1bc
Parent:     6f585046cf0b00509f0ff7c8f8a48b9cf7c2ab75
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon May 4 16:10:57 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon May 4 16:10:57 2020 +0100


    Make {bounce,warn}_message_file expanded.  Bug 2522
---
 doc/doc-docbook/spec.xfpt     |  20 ++-
 doc/doc-txt/NewStuff          |   2 +
 doc/doc-txt/OptionLists.txt   |   4 +-
 src/src/deliver.c             |  38 +++--
 test/log/0622                 |  92 ++++++++----
 test/mail/0622.bounce_message | 320 ++++++++++++++++++++++++++++++++++++++----
 test/paniclog/0622            |   8 +-
 test/scripts/0000-Basic/0622  |  25 +++-
 test/stderr/0622              |   8 +-
 9 files changed, 437 insertions(+), 80 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index edd7451..828b757 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15015,12 +15015,18 @@ just the command name, it is not a complete command line. If an argument is
required, it must come from the &%-oA%& command line option.


-.option bounce_message_file main string unset
+.option bounce_message_file main string&!! unset
.cindex "bounce message" "customizing"
.cindex "customizing" "bounce message"
This option defines a template file containing paragraphs of text to be used
for constructing bounce messages. Details of the file's contents are given in
-chapter &<<CHAPemsgcust>>&. See also &%warn_message_file%&.
+chapter &<<CHAPemsgcust>>&.
+.new
+.cindex bounce_message_file "tainted data"
+The option is expanded to give the file path, which must be
+absolute and untainted.
+.wen
+See also &%warn_message_file%&.


.option bounce_message_text main string unset
@@ -18366,14 +18372,20 @@ regular expression by a parenthesized subpattern. The default value for
See &%uucp_from_pattern%& above.


-.option warn_message_file main string unset
+.option warn_message_file main string&!! unset
.cindex "warning of delay" "customizing the message"
.cindex "customizing" "warning message"
This option defines a template file containing paragraphs of text to be used
for constructing the warning message which is sent by Exim when a message has
been in the queue for a specified amount of time, as specified by
&%delay_warning%&. Details of the file's contents are given in chapter
-&<<CHAPemsgcust>>&. See also &%bounce_message_file%&.
+&<<CHAPemsgcust>>&.
+.new
+.cindex warn_message_file "tainted data"
+The option is expanded to give the file path, which must be
+absolute and untainted.
+.wen
+See also &%bounce_message_file%&.


.option write_rejectlog main boolean true
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b798021..6676e0b 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -61,6 +61,8 @@ Version 4.94

18. dkim_verify_min_keysizes, a list of minimum acceptable public-key sizes.

+19. bounce_message_file and warn_message_file are now expanded before use.
+


 Version 4.93
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index ce0c901..f15ccd5 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -98,7 +98,7 @@ batch_max                            integer         100           appendfile
 bcc                                  string*         unset         autoreply
 bi_command                           string          unset         main
 body_only                            boolean         false         transports        2.05
-bounce_message_file                  string          unset         main              4.00
+bounce_message_file                  string*         unset         main              4.00 expanded from 4.94
 bounce_message_text                  string          unset         main              4.00
 bounce_return_body                   boolean         true          main              4.23
 bounce_return_message                boolean         true          main              4.00
@@ -640,7 +640,7 @@ verify                               boolean         true          routers
 verify_only                          boolean         false         routers           4.00
 verify_recipient                     boolean         true          routers           4.00
 verify_sender                        boolean         true          routers           4.00
-warn_message_file                    string          unset         main              4.00
+warn_message_file                    string*         unset         main              4.00 expanded from 4.94
 widen_domains                        string list     unset         dnslookup         4.00
 write_rejectlog                      boolean         true          main              4.31


diff --git a/src/src/deliver.c b/src/src/deliver.c
index c8d7e83..c6e9aa6 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -5500,6 +5500,28 @@ if ( f.running_in_test_harness && *fudged_queue_times
return actual_time;
}

+/************************************************/
+
+static FILE *
+expand_open(const uschar * filename,
+  const uschar * varname, const uschar * reason)
+{
+const uschar * s = expand_cstring(filename);
+FILE * fp = NULL;
+
+if (!s || !*s)
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Failed to expand %s: '%s'\n", varname, filename);
+else if (*s != '/' || is_tainted(s))
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "%s is not %s after expansion: '%s'\n",
+    varname, *s == '/' ? "untainted" : "absolute", s);
+else if (!(fp = Ufopen(s, "rb")))
+  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s "
+    "message texts: %s", s, reason, strerror(errno));
+return fp;
+}
+
 /*************************************************
 *              Deliver one message               *
 *************************************************/
@@ -7620,9 +7642,8 @@ while (addr_failed)
       carry on - default texts will be used. */


       if (bounce_message_file)
-        if (!(emf = Ufopen(bounce_message_file, "rb")))
-          log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for error "
-            "message texts: %s", bounce_message_file, strerror(errno));
+    emf = expand_open(bounce_message_file,
+        US"bounce_message_file", US"error");


       /* Quietly copy to configured additional addresses if required. */


@@ -8192,16 +8213,15 @@ else if (addr_defer != (address_item *)(+1))

       if (pid > 0)
         {
-        uschar *wmf_text;
-        FILE *wmf = NULL;
-        FILE *f = fdopen(fd, "wb");
+        uschar * wmf_text;
+        FILE * wmf = NULL;
+        FILE * f = fdopen(fd, "wb");
     uschar * bound;
     transport_ctx tctx = {{0}};


         if (warn_message_file)
-          if (!(wmf = Ufopen(warn_message_file, "rb")))
-            log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for warning "
-              "message texts: %s", warn_message_file, strerror(errno));
+      wmf = expand_open(warn_message_file,
+          US"warn_message_file", US"warning");


         warnmsg_recipients = recipients;
         warnmsg_delay = queue_time < 120*60
diff --git a/test/log/0622 b/test/log/0622
index 37a40dd..c5a9ef2 100644
--- a/test/log/0622
+++ b/test/log/0622
@@ -1,38 +1,74 @@
-2017-07-30 18:51:05.712 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for a@???
-2017-07-30 18:51:05.712 10HmaZ-0005vi-00 ** a@???: Unrouteable address
-2017-07-30 18:51:05.712 10HmbA-0005vi-00 <= <> R=10HmaZ-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
-2017-07-30 18:51:05.712 10HmbA-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
-2017-07-30 18:51:05.712 10HmbA-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for b@???
-2017-07-30 18:51:05.712 10HmbB-0005vi-00 ** b@???: Unrouteable address
-2017-07-30 18:51:05.712 10HmbC-0005vi-00 <= <> R=10HmbB-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
-2017-07-30 18:51:05.712 10HmbC-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for a@???
+2017-07-30 18:51:05.712 10HmbC-0005vi-00 ** a@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmbD-0005vi-00 <= <> R=10HmbC-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbD-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbD-0005vi-00 Completed
 2017-07-30 18:51:05.712 10HmbC-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmbB-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for b@???
+2017-07-30 18:51:05.712 10HmbE-0005vi-00 ** b@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmbF-0005vi-00 <= <> R=10HmbE-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbF-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbF-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbE-0005vi-00 Completed
 2017-07-30 18:51:05.712 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for c@???
 2017-07-30 18:51:05.712 10HmaX-0005vi-00 ** c@???: Unrouteable address
 2017-07-30 18:51:05.712 10HmaX-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for error message texts: No such file or directory
-2017-07-30 18:51:05.712 10HmbD-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
-2017-07-30 18:51:05.712 10HmbD-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
-2017-07-30 18:51:05.712 10HmbD-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmaX-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_p@???
-2017-07-30 18:51:05.712 10HmbE-0005vi-00 == delay_p@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_q@???
-2017-07-30 18:51:05.712 10HmbF-0005vi-00 == delay_q@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_r@???
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 == delay_r@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmbE-0005vi-00 == delay_p@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmbG-0005vi-00 <= <> R=10HmbE-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbG-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
 2017-07-30 18:51:05.712 10HmbG-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
 2017-07-30 18:51:05.712 10HmbG-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmbF-0005vi-00 == delay_q@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmbH-0005vi-00 <= <> R=10HmbF-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmaX-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for d@???
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 ** d@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 bounce_message_file is not absolute after expansion: 'relative_file_path'
+
+2017-07-30 18:51:05.712 10HmbH-0005vi-00 <= <> R=10HmaY-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
 2017-07-30 18:51:05.712 10HmbH-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
 2017-07-30 18:51:05.712 10HmbH-0005vi-00 Completed
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 == delay_r@??? R=delay defer (-1): deliberate for test purposes
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory
-2017-07-30 18:51:05.712 10HmbI-0005vi-00 <= <> R=10HmaY-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for e@???
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 ** e@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Failed to expand bounce_message_file: '$acl_m_unset'
+
+2017-07-30 18:51:05.712 10HmbI-0005vi-00 <= <> R=10HmaZ-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
 2017-07-30 18:51:05.712 10HmbI-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
 2017-07-30 18:51:05.712 10HmbI-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for f@???
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 ** f@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 bounce_message_file is not untainted after expansion: 'TESTSUITE/aux-fixed/0622.CALLER@???'
+
+2017-07-30 18:51:05.712 10HmbJ-0005vi-00 <= <> R=10HmbA-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbJ-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbJ-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbK-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for g@???
+2017-07-30 18:51:05.712 10HmbK-0005vi-00 ** g@???: Unrouteable address
+2017-07-30 18:51:05.712 10HmbL-0005vi-00 <= <> R=10HmbK-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbL-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbL-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbK-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbM-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_p@???
+2017-07-30 18:51:05.712 10HmbM-0005vi-00 == delay_p@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbN-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_q@???
+2017-07-30 18:51:05.712 10HmbN-0005vi-00 == delay_q@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_r@???
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 == delay_r@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbO-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for delay_s@???
+2017-07-30 18:51:05.712 10HmbO-0005vi-00 == delay_s@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbM-0005vi-00 == delay_p@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbP-0005vi-00 <= <> R=10HmbM-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbP-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbP-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbN-0005vi-00 == delay_q@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbQ-0005vi-00 <= <> R=10HmbN-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbQ-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbQ-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 == delay_r@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory
+2017-07-30 18:51:05.712 10HmbR-0005vi-00 <= <> R=10HmbB-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbR-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbR-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbO-0005vi-00 == delay_s@??? R=delay defer (-1): deliberate for test purposes
+2017-07-30 18:51:05.712 10HmbS-0005vi-00 <= <> R=10HmbO-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbS-0005vi-00 => CALLER <CALLER@???> R=bounces T=savebounce
+2017-07-30 18:51:05.712 10HmbS-0005vi-00 Completed
diff --git a/test/mail/0622.bounce_message b/test/mail/0622.bounce_message
index 9c1c5b3..ad949ce 100644
--- a/test/mail/0622.bounce_message
+++ b/test/mail/0622.bounce_message
@@ -1,16 +1,16 @@
 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbA-0005vi-00
+    id 10HmbD-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
 X-Failed-Recipients: a@???
 Auto-Submitted: auto-replied
 From: Mail Delivery System <Mailer-Daemon@???>
 To: CALLER@???
-References: <E10HmaZ-0005vi-00@???>
+References: <E10HmbC-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
 Subject: Mail delivery failed: returning message to sender
-Message-Id: <E10HmbA-0005vi-00@???>
+Message-Id: <E10HmbD-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


 --NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -39,10 +39,10 @@ Content-type: message/rfc822
 Return-path: <CALLER@???>
 Received: from CALLER by myhost.test.ex with local (Exim x.yz)
     (envelope-from <CALLER@???>)
-    id 10HmaZ-0005vi-00
+    id 10HmbC-0005vi-00
     for a@???; Tue, 2 Mar 1999 09:44:33 +0000
 Subject: test 1.1 - Default deny message
-Message-Id: <E10HmaZ-0005vi-00@???>
+Message-Id: <E10HmbC-0005vi-00@???>
 From: CALLER_NAME <CALLER@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


@@ -51,17 +51,17 @@ Date: Tue, 2 Mar 1999 09:44:33 +0000

 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbC-0005vi-00
+    id 10HmbF-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
 X-Failed-Recipients: b@???
 Auto-Submitted: auto-replied
 From: Mail Delivery System <Mailer-Daemon@???>
 To: CALLER@???
-References: <E10HmbB-0005vi-00@???>
+References: <E10HmbE-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
 Subject: this is a customised bounce message
-Message-Id: <E10HmbC-0005vi-00@???>
+Message-Id: <E10HmbF-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


 --NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -91,10 +91,10 @@ Content-type: message/rfc822
 Return-path: <CALLER@???>
 Received: from CALLER by myhost.test.ex with local (Exim x.yz)
     (envelope-from <CALLER@???>)
-    id 10HmbB-0005vi-00
+    id 10HmbE-0005vi-00
     for b@???; Tue, 2 Mar 1999 09:44:33 +0000
 Subject: test 1.2 - Specified deny message file
-Message-Id: <E10HmbB-0005vi-00@???>
+Message-Id: <E10HmbE-0005vi-00@???>
 From: CALLER_NAME <CALLER@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


@@ -103,7 +103,7 @@ Date: Tue, 2 Mar 1999 09:44:33 +0000

 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbD-0005vi-00
+    id 10HmbG-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
 X-Failed-Recipients: c@???
 Auto-Submitted: auto-replied
@@ -113,7 +113,7 @@ References: <E10HmaX-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
 Subject: Mail delivery failed: returning message to sender
-Message-Id: <E10HmbD-0005vi-00@???>
+Message-Id: <E10HmbG-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


--NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -154,16 +154,221 @@ Date: Tue, 2 Mar 1999 09:44:33 +0000

 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbG-0005vi-00
+    id 10HmbH-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+X-Failed-Recipients: d@???
 Auto-Submitted: auto-replied
 From: Mail Delivery System <Mailer-Daemon@???>
 To: CALLER@???
-References: <E10HmbE-0005vi-00@???>
+References: <E10HmaY-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
-Subject: Warning: message 10HmbE-0005vi-00 delayed 0 minutes
-Message-Id: <E10HmbG-0005vi-00@???>
+Subject: Mail delivery failed: returning message to sender
+Message-Id: <E10HmbH-0005vi-00@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/plain; charset=us-ascii
+
+This message was created automatically by mail delivery software.
+
+A message that you sent could not be delivered to one or more of its
+recipients. This is a permanent error. The following address(es) failed:
+
+  d@???
+    Unrouteable address
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/delivery-status
+
+Reporting-MTA: dns; myhost.test.ex
+
+Action: failed
+Final-Recipient: rfc822;d@???
+Status: 5.0.0
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/rfc822
+
+Return-path: <CALLER@???>
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmaY-0005vi-00
+    for d@???; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: test 1.4 - Specified, non-absolute
+Message-Id: <E10HmaY-0005vi-00@???>
+From: CALLER_NAME <CALLER@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM--
+
+From MAILER-DAEMON Tue Mar 02 09:44:33 1999
+Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
+    id 10HmbI-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+X-Failed-Recipients: e@???
+Auto-Submitted: auto-replied
+From: Mail Delivery System <Mailer-Daemon@???>
+To: CALLER@???
+References: <E10HmaZ-0005vi-00@???>
+Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
+MIME-Version: 1.0
+Subject: Mail delivery failed: returning message to sender
+Message-Id: <E10HmbI-0005vi-00@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/plain; charset=us-ascii
+
+This message was created automatically by mail delivery software.
+
+A message that you sent could not be delivered to one or more of its
+recipients. This is a permanent error. The following address(es) failed:
+
+  e@???
+    Unrouteable address
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/delivery-status
+
+Reporting-MTA: dns; myhost.test.ex
+
+Action: failed
+Final-Recipient: rfc822;e@???
+Status: 5.0.0
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/rfc822
+
+Return-path: <CALLER@???>
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmaZ-0005vi-00
+    for e@???; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: test 1.5 - Specified, expansion empty
+Message-Id: <E10HmaZ-0005vi-00@???>
+From: CALLER_NAME <CALLER@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM--
+
+From MAILER-DAEMON Tue Mar 02 09:44:33 1999
+Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
+    id 10HmbJ-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+X-Failed-Recipients: f@???
+Auto-Submitted: auto-replied
+From: Mail Delivery System <Mailer-Daemon@???>
+To: CALLER@???
+References: <E10HmbA-0005vi-00@???>
+Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
+MIME-Version: 1.0
+Subject: Mail delivery failed: returning message to sender
+Message-Id: <E10HmbJ-0005vi-00@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/plain; charset=us-ascii
+
+This message was created automatically by mail delivery software.
+
+A message that you sent could not be delivered to one or more of its
+recipients. This is a permanent error. The following address(es) failed:
+
+  f@???
+    Unrouteable address
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/delivery-status
+
+Reporting-MTA: dns; myhost.test.ex
+
+Action: failed
+Final-Recipient: rfc822;f@???
+Status: 5.0.0
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/rfc822
+
+Return-path: <CALLER@???>
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmbA-0005vi-00
+    for f@???; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: test 1.6 - Specified, expansion tainted
+Message-Id: <E10HmbA-0005vi-00@???>
+From: CALLER_NAME <CALLER@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM--
+
+From MAILER-DAEMON Tue Mar 02 09:44:33 1999
+Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
+    id 10HmbL-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+X-Failed-Recipients: g@???
+Auto-Submitted: auto-replied
+From: Mail Delivery System <Mailer-Daemon@???>
+To: CALLER@???
+References: <E10HmbK-0005vi-00@???>
+Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
+MIME-Version: 1.0
+Subject: this is a customised bounce message
+Message-Id: <E10HmbL-0005vi-00@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/plain; charset=us-ascii
+
+Second item.  Forms the start of the error message.
+Expansions:
+ $sender_address <CALLER@???>
+ $bounce_recipient <CALLER@???>
+ $warn_message_delay ""
+
+  g@???
+    Unrouteable address
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/delivery-status
+
+Reporting-MTA: dns; myhost.test.ex
+
+Action: failed
+Final-Recipient: rfc822;g@???
+Status: 5.0.0
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/rfc822
+
+Return-path: <CALLER@???>
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmbK-0005vi-00
+    for g@???; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: test 1.7 - Specified, expansion good
+Message-Id: <E10HmbK-0005vi-00@???>
+From: CALLER_NAME <CALLER@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM--
+
+From MAILER-DAEMON Tue Mar 02 09:44:33 1999
+Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
+    id 10HmbP-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+Auto-Submitted: auto-replied
+From: Mail Delivery System <Mailer-Daemon@???>
+To: CALLER@???
+References: <E10HmbM-0005vi-00@???>
+Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
+MIME-Version: 1.0
+Subject: Warning: message 10HmbM-0005vi-00 delayed 0 minutes
+Message-Id: <E10HmbP-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


--NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -173,7 +378,7 @@ This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 0 minutes on the queue on myhost.test.ex.

-The message identifier is:     10HmbE-0005vi-00
+The message identifier is:     10HmbM-0005vi-00
 The subject of the message is: test 2.1 - Default delay message
 The date of the message is:    Tue, 2 Mar 1999 09:44:33 +0000


@@ -202,10 +407,10 @@ Content-type: text/rfc822-headers
 Return-path: <CALLER@???>
 Received: from CALLER by myhost.test.ex with local (Exim x.yz)
     (envelope-from <CALLER@???>)
-    id 10HmbE-0005vi-00
+    id 10HmbM-0005vi-00
     for delay_p@???; Tue, 2 Mar 1999 09:44:33 +0000
 Subject: test 2.1 - Default delay message
-Message-Id: <E10HmbE-0005vi-00@???>
+Message-Id: <E10HmbM-0005vi-00@???>
 From: CALLER_NAME <CALLER@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


@@ -214,16 +419,16 @@ Date: Tue, 2 Mar 1999 09:44:33 +0000

 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbH-0005vi-00
+    id 10HmbQ-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
 Auto-Submitted: auto-replied
 From: Mail Delivery System <Mailer-Daemon@???>
 To: CALLER@???
-References: <E10HmbF-0005vi-00@???>
+References: <E10HmbN-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
 Subject: this is a customised bounce message
-Message-Id: <E10HmbH-0005vi-00@???>
+Message-Id: <E10HmbQ-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


 --NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -255,10 +460,10 @@ Content-type: text/rfc822-headers
 Return-path: <CALLER@???>
 Received: from CALLER by myhost.test.ex with local (Exim x.yz)
     (envelope-from <CALLER@???>)
-    id 10HmbF-0005vi-00
+    id 10HmbN-0005vi-00
     for delay_q@???; Tue, 2 Mar 1999 09:44:33 +0000
 Subject: test 2.2 - Specified delay message file
-Message-Id: <E10HmbF-0005vi-00@???>
+Message-Id: <E10HmbN-0005vi-00@???>
 From: CALLER_NAME <CALLER@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


@@ -267,16 +472,16 @@ Date: Tue, 2 Mar 1999 09:44:33 +0000

 From MAILER-DAEMON Tue Mar 02 09:44:33 1999
 Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
-    id 10HmbI-0005vi-00
+    id 10HmbR-0005vi-00
     for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
 Auto-Submitted: auto-replied
 From: Mail Delivery System <Mailer-Daemon@???>
 To: CALLER@???
-References: <E10HmaY-0005vi-00@???>
+References: <E10HmbB-0005vi-00@???>
 Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
 MIME-Version: 1.0
-Subject: Warning: message 10HmaY-0005vi-00 delayed 0 minutes
-Message-Id: <E10HmbI-0005vi-00@???>
+Subject: Warning: message 10HmbB-0005vi-00 delayed 0 minutes
+Message-Id: <E10HmbR-0005vi-00@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


--NNNNNNNNNN-eximdsn-MMMMMMMMMM
@@ -286,7 +491,7 @@ This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 0 minutes on the queue on myhost.test.ex.

-The message identifier is:     10HmaY-0005vi-00
+The message identifier is:     10HmbB-0005vi-00
 The subject of the message is: test 2.3 - Specified, missing delay message file
 The date of the message is:    Tue, 2 Mar 1999 09:44:33 +0000


@@ -315,10 +520,63 @@ Content-type: text/rfc822-headers
 Return-path: <CALLER@???>
 Received: from CALLER by myhost.test.ex with local (Exim x.yz)
     (envelope-from <CALLER@???>)
-    id 10HmaY-0005vi-00
+    id 10HmbB-0005vi-00
     for delay_r@???; Tue, 2 Mar 1999 09:44:33 +0000
 Subject: test 2.3 - Specified, missing delay message file
-Message-Id: <E10HmaY-0005vi-00@???>
+Message-Id: <E10HmbB-0005vi-00@???>
+From: CALLER_NAME <CALLER@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM--
+
+From MAILER-DAEMON Tue Mar 02 09:44:33 1999
+Received: from EXIMUSER by myhost.test.ex with local (Exim x.yz)
+    id 10HmbS-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+Auto-Submitted: auto-replied
+From: Mail Delivery System <Mailer-Daemon@???>
+To: CALLER@???
+References: <E10HmbO-0005vi-00@???>
+Content-Type: multipart/report; report-type=delivery-status; boundary=NNNNNNNNNN-eximdsn-MMMMMMMMMM
+MIME-Version: 1.0
+Subject: this is a customised bounce message
+Message-Id: <E10HmbS-0005vi-00@???>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/plain; charset=us-ascii
+
+Second item.  Forms the start of the error message.
+Expansions:
+ $sender_address <CALLER@???>
+ $bounce_recipient <>
+ $warn_message_delay "0 minutes"
+
+  delay_s@???
+    Delay reason: deliberate for test purposes
+
+Third item.
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: message/delivery-status
+
+Reporting-MTA: dns; myhost.test.ex
+
+Action: delayed
+Final-Recipient: rfc822;delay_s@???
+Status: 4.0.0
+
+--NNNNNNNNNN-eximdsn-MMMMMMMMMM
+Content-type: text/rfc822-headers
+
+Return-path: <CALLER@???>
+Received: from CALLER by myhost.test.ex with local (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmbO-0005vi-00
+    for delay_s@???; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: test 2.7 - Specified, expansion good
+Message-Id: <E10HmbO-0005vi-00@???>
 From: CALLER_NAME <CALLER@???>
 Date: Tue, 2 Mar 1999 09:44:33 +0000


diff --git a/test/paniclog/0622 b/test/paniclog/0622
index 88ae44a..544d65c 100644
--- a/test/paniclog/0622
+++ b/test/paniclog/0622
@@ -1,2 +1,8 @@
 2017-07-30 18:51:05.712 10HmaX-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for error message texts: No such file or directory
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 bounce_message_file is not absolute after expansion: 'relative_file_path'
+
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Failed to expand bounce_message_file: '$acl_m_unset'
+
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 bounce_message_file is not untainted after expansion: 'TESTSUITE/aux-fixed/0622.CALLER@???'
+
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory
diff --git a/test/scripts/0000-Basic/0622 b/test/scripts/0000-Basic/0622
index a7c966d..f3016f2 100644
--- a/test/scripts/0000-Basic/0622
+++ b/test/scripts/0000-Basic/0622
@@ -3,22 +3,37 @@
 exim -odf a@???
 Subject: test 1.1 - Default deny message
 ****
-exim -odf -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl b@???
+exim -odf -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl    b@???
 Subject: test 1.2 - Specified deny message file
 ****
-exim -odf -DOPT=DIR/aux-fixed/TESTNUM.nonexist.tmpl c@???
+exim -odf -DOPT=DIR/aux-fixed/TESTNUM.nonexist.tmpl    c@???
 Subject: test 1.3 - Specified, missing deny message file
 ****
+exim -odf -DOPT=relative_file_path            d@???
+Subject: test 1.4 - Specified, non-absolute
+****
+exim -odf -DOPT='$acl_m_unset'                e@???
+Subject: test 1.5 - Specified, expansion empty
+****
+exim -odf -DOPT='DIR/aux-fixed/TESTNUM.$sender_address'    f@???
+Subject: test 1.6 - Specified, expansion tainted
+****
+exim -odf -DOPT='${if ={0}{0} {DIR/aux-fixed/TESTNUM.bounce.tmpl}{bad}}' g@???
+Subject: test 1.7 - Specified, expansion good
+****
 #
 exim -odf delay_p@???
 Subject: test 2.1 - Default delay message
 ****
-exim -odf -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl delay_q@???
+exim -odf -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl            delay_q@???
 Subject: test 2.2 - Specified delay message file
 ****
-exim -odf -DOPT=DIR/aux-fixed/TESTNUM.nonexist.tmpl delay_r@???
+exim -odf -DOPT=DIR/aux-fixed/TESTNUM.nonexist.tmpl            delay_r@???
 Subject: test 2.3 - Specified, missing delay message file
 ****
+exim -odf -DOPT='${if ={0}{0} {DIR/aux-fixed/TESTNUM.bounce.tmpl}{bad}}' delay_s@???
+Subject: test 2.7 - Specified, expansion good
+****
 sleep 1
 exim -M $msg1
 ****
@@ -26,6 +41,8 @@ exim -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl -M $msg2
 ****
 exim -DOPT=DIR/aux-fixed/TESTNUM.nonexist.tmpl -M $msg3
 ****
+exim -DOPT=DIR/aux-fixed/TESTNUM.bounce.tmpl -M $msg4
+****
 sleep 1
 #
 #
diff --git a/test/stderr/0622 b/test/stderr/0622
index 88ae44a..544d65c 100644
--- a/test/stderr/0622
+++ b/test/stderr/0622
@@ -1,2 +1,8 @@
 2017-07-30 18:51:05.712 10HmaX-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for error message texts: No such file or directory
-2017-07-30 18:51:05.712 10HmaY-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 bounce_message_file is not absolute after expansion: 'relative_file_path'
+
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Failed to expand bounce_message_file: '$acl_m_unset'
+
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 bounce_message_file is not untainted after expansion: 'TESTSUITE/aux-fixed/0622.CALLER@???'
+
+2017-07-30 18:51:05.712 10HmbB-0005vi-00 Failed to open TESTSUITE/aux-fixed/0622.nonexist.tmpl for warning message texts: No such file or directory