Gitweb:
https://git.exim.org/exim.git/commitdiff/44644c2e404a3ea0191db0b0458e86924fb240bb
Commit: 44644c2e404a3ea0191db0b0458e86924fb240bb
Parent: 05d83295725e9bb91c1c37108d2d8892ee4a2bfd
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Jun 2 15:03:36 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue Jun 2 15:04:51 2020 +0100
Taint: fix listcount expansion operator. Bug 2586
---
doc/doc-txt/ChangeLog | 6 +++++-
src/src/expand.c | 3 +--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 93bd62c..240dc75 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,10 +11,14 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail-
says that "M" should be, so change to match.
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
- as arguments, so an implementation trying to copy these into local
+ as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enformance trap. Fix by using dynamically
created buffers.
+JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
+ reasonable, eg. to count headers. Fix by using dynamically created
+ buffers rather than a local,
+
Exim version 4.94
-----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index b014533..b015124 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -7208,9 +7208,8 @@ while (*s != 0)
{
int cnt = 0;
int sep = 0;
- uschar buffer[256];
- while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++;
+ while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;
yield = string_fmt_append(yield, "%d", cnt);
continue;
}