Gitweb:
https://git.exim.org/exim.git/commitdiff/12b7f811de4a540d0724585aecfa33b5881e2a30
Commit: 12b7f811de4a540d0724585aecfa33b5881e2a30
Parent: 1195f8f2a4329ae21a4ec5d3fa3666c6c4fa2d2f
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Jun 3 11:40:17 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Jun 3 11:40:17 2020 +0100
Taint: fix multiple ACL actions to properly manage tainted argument data
---
doc/doc-txt/ChangeLog | 4 +++-
src/src/acl.c | 12 ++++++------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 19a1b17..d9959d5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -17,7 +17,9 @@ JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
- buffers rather than a local,
+ buffers rather than a local. Do similar fixes for ACL actions "dcc",
+ "log_reject_target", "malware" and "spam"; the arguments are expanded
+ so could be handling tainted values.
Exim version 4.94
diff --git a/src/src/acl.c b/src/src/acl.c
index 57a0729..2a52ce7 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3420,11 +3420,11 @@ for (; cb; cb = cb->next)
{
/* Separate the regular expression and any optional parameters. */
const uschar * list = arg;
- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+ uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
/* Run the dcc backend. */
rc = dcc_process(&ss);
/* Modify return code based upon the existence of options. */
- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+ while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
rc = FAIL; /* FAIL so that the message is passed to the next ACL */
}
@@ -3585,7 +3585,7 @@ for (; cb; cb = cb->next)
int sep = 0;
const uschar *s = arg;
uschar * ss;
- while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size)))
+ while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
{
if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
@@ -3638,7 +3638,7 @@ for (; cb; cb = cb->next)
{
/* Separate the regular expression and any optional parameters. */
const uschar * list = arg;
- uschar * ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+ uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
uschar * opt;
BOOL defer_ok = FALSE;
int timeout = 0;
@@ -3743,11 +3743,11 @@ for (; cb; cb = cb->next)
{
/* Separate the regular expression and any optional parameters. */
const uschar * list = arg;
- uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+ uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
rc = spam(CUSS &ss);
/* Modify return code based upon the existence of options. */
- while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+ while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
rc = FAIL; /* FAIL so that the message is passed to the next ACL */
}