[exim-dev] [Bug 2586] ${listcount } fails on tainted data

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2586] ${listcount } fails on tainted data
https://bugs.exim.org/show_bug.cgi?id=2586

Git Commit <git@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git@???


--- Comment #1 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/44644c2e404a3ea0191db0b0458e86924fb240bb

commit 44644c2e404a3ea0191db0b0458e86924fb240bb
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Jun 2 15:03:36 2020 +0100
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Tue Jun 2 15:04:51 2020 +0100


    Taint: fix listcount expansion operator.  Bug 2586
---
 doc/doc-txt/ChangeLog | 6 +++++-
 src/src/expand.c      | 3 +--
 2 files changed, 6 insertions(+), 3 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 93bd62c..240dc75 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,10 +11,14 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to
match other mail-
       says that "M" should be, so change to match.


 JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
-      as arguments, so an implementation trying to copy these into local
+      as arguments, so an implementation trying to copy these into a local
       buffer was taking a taint-enformance trap.  Fix by using dynamically
       created buffers.


+JH/03 Bug 2586: Fix listcount expansion operator.  Using tainted arguments is
+      reasonable, eg. to count headers.  Fix by using dynamically created
+      buffers rather than a local,
+


 Exim version 4.94
 -----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index b014533..b015124 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -7208,9 +7208,8 @@ while (*s != 0)
         {
     int cnt = 0;
     int sep = 0;
-    uschar buffer[256];


-    while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++;
+    while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;
     yield = string_fmt_append(yield, "%d", cnt);
         continue;
         }


--
You are receiving this mail because:
You are on the CC list for the bug.