Gitweb:
https://git.exim.org/exim.git/commitdiff/9eed571fd7c3236326cc6ea74f1455b027df7604
Commit: 9eed571fd7c3236326cc6ea74f1455b027df7604
Parent: d3a538c8fee9f31b29947ad73445f50902140899
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jun 14 20:43:06 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jun 14 21:04:46 2020 +0100
Taint: fix verify. Bug 2598
---
doc/doc-txt/ChangeLog | 4 +++
src/src/acl.c | 2 +-
test/confs/0591 | 33 ++++++++++++++++++++++
test/scripts/0000-Basic/0087 | 2 +-
test/scripts/0000-Basic/0591 | 29 +++++++++++++++++++
test/stderr/0591 | 67 ++++++++++++++++++++++++++++++++++++++++++++
test/stdout/0591 | 39 ++++++++++++++++++++++++++
7 files changed, 174 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8668652..fef4c74 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -40,6 +40,10 @@ JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
+JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
+ expanded; previously using tainted values was rejected. Fix by using
+ dynamically-created buffers.
+
Exim version 4.94
-----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 2a52ce7..297489b 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1789,7 +1789,7 @@ switch(vp->value)
/* Remaining items are optional; they apply to sender and recipient
verification, including "header sender" verification. */
-while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
{
if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
diff --git a/test/confs/0591 b/test/confs/0591
new file mode 100644
index 0000000..8eaeb08
--- /dev/null
+++ b/test/confs/0591
@@ -0,0 +1,33 @@
+# Exim test configuration 0591
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex
+
+acl_smtp_rcpt = check_recipient
+queue_only
+
+
+# ----- ACL -----
+
+begin acl
+
+check_recipient:
+ require verify = sender=OPT
+ accept
+
+# ----- Routers -----
+
+begin routers
+
+goodroute:
+ driver = accept
+ local_parts = userx
+ verify_only
+
+
+# End
diff --git a/test/scripts/0000-Basic/0087 b/test/scripts/0000-Basic/0087
index c77b69c..8e65e80 100644
--- a/test/scripts/0000-Basic/0087
+++ b/test/scripts/0000-Basic/0087
@@ -1,4 +1,4 @@
-# verify = header_sender
+# verify = header_sender & sender
exim -bh V4NET.10.10.10
mail from:<userx@???>
rcpt to:<userx@???>
diff --git a/test/scripts/0000-Basic/0591 b/test/scripts/0000-Basic/0591
new file mode 100644
index 0000000..c7f543d
--- /dev/null
+++ b/test/scripts/0000-Basic/0591
@@ -0,0 +1,29 @@
+# verify = sender=address
+#
+# pass
+exim -DOPT=userx@??? -bh 127.0.0.1
+mail from:<userx@???>
+rcpt to:<userx@???>
+data
+From: userx@???
+Subject: testing
+.
+QUIT
+****
+# fail
+exim -DOPT=fail@??? -bh 127.0.0.1
+mail from:<userx@???>
+rcpt to:<userx@???>
+QUIT
+****
+# check can use tainted data
+exim -DOPT='$sender_address/defer_ok' -bh 127.0.0.1
+mail from:<userx@???>
+rcpt to:<userx@???>
+data
+From: userx@???
+Subject: testing
+.
+QUIT
+****
+no_msglog_check
diff --git a/test/stderr/0591 b/test/stderr/0591
new file mode 100644
index 0000000..d3e854e
--- /dev/null
+++ b/test/stderr/0591
@@ -0,0 +1,67 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=userx@???
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing userx@???
+>>> userx in "userx"? yes (matched "userx")
+>>> calling goodroute router
+>>> routed by goodroute router
+>>> ----------- end verify ------------
+>>> require: condition test succeeded in ACL "check_recipient"
+>>> processing "accept" (TESTSUITE/test-config 21)
+>>> accept: condition test succeeded in ACL "check_recipient"
+>>> end of ACL "check_recipient": ACCEPT
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaX-0005vi-00 <= userx@??? H=[127.0.0.1] P=smtp S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=fail@???
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing fail@???
+>>> fail in "userx"? no (end of list)
+>>> no more routers
+>>> ----------- end verify ------------
+>>> require: condition test failed in ACL "check_recipient"
+>>> end of ACL "check_recipient": not OK
+LOG: H=[127.0.0.1] sender verify fail for <fail@???>: Unrouteable address
+LOG: H=[127.0.0.1] F=<userx@???> rejected RCPT <userx@???>: Sender verify failed
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=$sender_address/defer_ok
+>>> = sender=userx@???/defer_ok
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing userx@???
+>>> userx in "userx"? yes (matched "userx")
+>>> calling goodroute router
+>>> routed by goodroute router
+>>> ----------- end verify ------------
+>>> require: condition test succeeded in ACL "check_recipient"
+>>> processing "accept" (TESTSUITE/test-config 21)
+>>> accept: condition test succeeded in ACL "check_recipient"
+>>> end of ACL "check_recipient": ACCEPT
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaY-0005vi-00 <= userx@??? H=[127.0.0.1] P=smtp S=sss
diff --git a/test/stdout/0591 b/test/stdout/0591
new file mode 100644
index 0000000..620e8f8
--- /dev/null
+++ b/test/stdout/0591
@@ -0,0 +1,39 @@
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaX-0005vi-00
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+550-Verification failed for <fail@???>
+550-Unrouteable address
+550 Sender verify failed
+221 myhost.test.ex closing connection
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaY-0005vi-00
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection
