[exim-cvs] Relax restrictions on which ACLs verify condition…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] Relax restrictions on which ACLs verify conditions may be used
Gitweb: https://git.exim.org/exim.git/commitdiff/e89d95f1909c0972b0e854ae05f50246f4d727d6
Commit:     e89d95f1909c0972b0e854ae05f50246f4d727d6
Parent:     9eed571fd7c3236326cc6ea74f1455b027df7604
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jun 14 21:29:08 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jun 14 21:29:08 2020 +0100


    Relax restrictions on which ACLs verify conditions may be used
---
 doc/doc-docbook/spec.xfpt | 7 ++++---
 doc/doc-txt/ChangeLog     | 5 +++++
 src/src/acl.c             | 8 ++++----
 src/src/macros.h          | 8 +++++++-
 4 files changed, 20 insertions(+), 8 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e3684ba..8350b4d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -31776,8 +31776,9 @@ send email. Details of how this works are given in section
.cindex "header lines" "verifying header names only ASCII"
.cindex "verifying" "header names only ASCII"
This condition is relevant only in an ACL that is run after a message has been
-received, that is, in an ACL specified by &%acl_smtp_data%& or
-&%acl_not_smtp%&. It checks all header names (not the content) to make sure
+received.
+This usually means an ACL specified by &%acl_smtp_data%& or &%acl_not_smtp%&.
+It checks all header names (not the content) to make sure
there are no non-ASCII characters, also excluding control characters. The
allowable characters are decimal ASCII values 33 through 126.

@@ -31932,7 +31933,7 @@ Note that '/' is legal in local-parts; if the address may have such
(eg. is generated from the received message)
they must be protected from the options parsing by doubling:
.code
-verify = sender=${sg{${address:$h_sender:}}{/}{//}}
+verify = sender=${listquote{/}{${address:$h_sender:}}}
.endd
.endlist

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index fef4c74..0354ff2 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -44,6 +44,11 @@ JH/08 Bug 2598: Fix verify ACL condition.  The options for the condition are
       expanded; previously using tainted values was rejected.  Fix by using
       dynamically-created buffers.


+JH/09 Relax restrictions on ACL verify condition needing access to message
+      headers.  Previously they were only permitted in data and non-smtp ACLs;
+      permit also mime, dkim, prdr quit and notquit.  Applies to header-syntax,
+      not_blind, header_sender and header_names_ascii verification.
+


 Exim version 4.94
 -----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 297489b..e1e6f9c 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1517,14 +1517,14 @@ static verify_type_t verify_type_list[] = {
     { US"certificate",          VERIFY_CERT,         (unsigned)~0,    TRUE,  0 },
     { US"helo",              VERIFY_HELO,         (unsigned)~0,    TRUE,  0 },
     { US"csa",              VERIFY_CSA,         (unsigned)~0,    FALSE, 0 },
-    { US"header_syntax",    VERIFY_HDR_SYNTAX,    ACL_BIT_DATA | ACL_BIT_NOTSMTP, TRUE, 0 },
-    { US"not_blind",          VERIFY_NOT_BLIND,    ACL_BIT_DATA | ACL_BIT_NOTSMTP, FALSE, 0 },
-    { US"header_sender",    VERIFY_HDR_SNDR,    ACL_BIT_DATA | ACL_BIT_NOTSMTP, FALSE, 0 },
+    { US"header_syntax",    VERIFY_HDR_SYNTAX,    ACL_BITS_HAVEDATA, TRUE, 0 },
+    { US"not_blind",          VERIFY_NOT_BLIND,    ACL_BITS_HAVEDATA, FALSE, 0 },
+    { US"header_sender",    VERIFY_HDR_SNDR,    ACL_BITS_HAVEDATA, FALSE, 0 },
     { US"sender",          VERIFY_SNDR,        ACL_BIT_MAIL | ACL_BIT_RCPT
             | ACL_BIT_PREDATA | ACL_BIT_DATA | ACL_BIT_NOTSMTP,
                                         FALSE, 6 },
     { US"recipient",          VERIFY_RCPT,         ACL_BIT_RCPT,    FALSE, 0 },
-    { US"header_names_ascii",    VERIFY_HDR_NAMES_ASCII, ACL_BIT_DATA | ACL_BIT_NOTSMTP, TRUE, 0 },
+    { US"header_names_ascii",    VERIFY_HDR_NAMES_ASCII, ACL_BITS_HAVEDATA, TRUE, 0 },
 #ifdef EXPERIMENTAL_ARC
     { US"arc",            VERIFY_ARC,         ACL_BIT_DATA,    FALSE , 0 },
 #endif
diff --git a/src/src/macros.h b/src/src/macros.h
index f601244..b5221c7 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -974,7 +974,9 @@ enum { ACL_WHERE_RCPT,       /* Some controls are for RCPT only */
 #define ACL_BIT_MIME        BIT(ACL_WHERE_MIME)
 #define ACL_BIT_DKIM        BIT(ACL_WHERE_DKIM)
 #define ACL_BIT_DATA        BIT(ACL_WHERE_DATA)
-#ifndef DISABLE_PRDR
+#ifdef DISABLE_PRDR
+# define ACL_BIT_PRDR        0
+#else
 # define ACL_BIT_PRDR        BIT(ACL_WHERE_PRDR)
 #endif
 #define ACL_BIT_NOTSMTP        BIT(ACL_WHERE_NOTSMTP)
@@ -992,6 +994,10 @@ enum { ACL_WHERE_RCPT,       /* Some controls are for RCPT only */
 #define ACL_BIT_DELIVERY    BIT(ACL_WHERE_DELIVERY)
 #define ACL_BIT_UNKNOWN        BIT(ACL_WHERE_UNKNOWN)


+#define ACL_BITS_HAVEDATA    (ACL_BIT_MIME | ACL_BIT_DKIM | ACL_BIT_DATA \
+                | ACL_BIT_PRDR \
+                | ACL_BIT_NOTSMTP | ACL_BIT_QUIT | ACL_BIT_NOTQUIT)
+


/* Situations for spool_write_header() */