Gitweb:
https://git.exim.org/exim.git/commitdiff/62b2ccce05a9a3127736d84d20e2bbe7b0885287
Commit: 62b2ccce05a9a3127736d84d20e2bbe7b0885287
Parent: 3d0472791a0928963a3f8184fe28479e80d1a47d
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Jun 29 17:14:07 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jun 29 17:14:07 2020 +0100
Taint: fix ACL "spam" condition, to permit tainted name arguments.
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/spam.c | 26 +++++++++-----------------
2 files changed, 13 insertions(+), 17 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index b2b9a74..41a9629 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -69,6 +69,10 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
+JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name"
+ argument resulted in a trap. There is no reason to disallow such; this
+ was a coding error.
+
Exim version 4.94
-----------------
diff --git a/src/src/spam.c b/src/src/spam.c
index 5eff1ad..bd34dba 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -190,7 +190,6 @@ spam(const uschar **listptr)
int sep = 0;
const uschar *list = *listptr;
uschar *user_name;
-uschar user_name_buffer[128];
unsigned long mbox_size;
FILE *mbox_file;
client_conn_ctx spamd_cctx = {.sock = -1};
@@ -218,17 +217,14 @@ spamd_address_container * sd;
result = 0;
/* find the username from the option list */
-if ((user_name = string_nextinlist(&list, &sep,
- user_name_buffer,
- sizeof(user_name_buffer))) == NULL)
+if (!(user_name = string_nextinlist(&list, &sep, NULL, 0)))
{
/* no username given, this means no scanning should be done */
return FAIL;
}
/* if username is "0" or "false", do not scan */
-if ( (Ustrcmp(user_name,"0") == 0) ||
- (strcmpic(user_name,US"false") == 0) )
+if (Ustrcmp(user_name, "0") == 0 || strcmpic(user_name, US"false") == 0)
return FAIL;
/* if there is an additional option, check if it is "true" */
@@ -237,19 +233,15 @@ if (strcmpic(list,US"true") == 0)
override = 1;
/* expand spamd_address if needed */
-if (*spamd_address == '$')
+if (*spamd_address != '$')
+ spamd_address_work = spamd_address;
+else if (!(spamd_address_work = expand_string(spamd_address)))
{
- spamd_address_work = expand_string(spamd_address);
- if (spamd_address_work == NULL)
- {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "%s spamd_address starts with $, but expansion failed: %s",
- loglabel, expand_string_message);
- return DEFER;
- }
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "%s spamd_address starts with $, but expansion failed: %s",
+ loglabel, expand_string_message);
+ return DEFER;
}
-else
- spamd_address_work = spamd_address;
DEBUG(D_acl) debug_printf_indent("spamd: addrlist '%s'\n", spamd_address_work);
