Gitweb:
https://git.exim.org/exim.git/commitdiff/532800c8bf0e4bc2c27739477e70e0d7eef7df21
Commit: 532800c8bf0e4bc2c27739477e70e0d7eef7df21
Parent: 040494b780a1f6db9f7dba0058c29e975241c1b0
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Jul 13 13:46:14 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jul 13 13:53:44 2020 +0100
Taint: fix ACL "spam" condition, to permit tainted name arguments
Follow-on from: 62b2ccce05
---
doc/doc-txt/ChangeLog | 6 +++---
src/src/spam.c | 15 +++++++--------
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 6d688d1..6062736 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -69,9 +69,9 @@ JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
-JH/15 Fix "spam" ACL condition. Previously, tainted values for the "name"
- argument resulted in a trap. There is no reason to disallow such; this
- was a coding error.
+JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the
+ "name" argument resulted in a trap. There is no reason to disallow such;
+ this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
diff --git a/src/src/spam.c b/src/src/spam.c
index bd34dba..3318bff 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -18,7 +18,7 @@ uschar spam_score_int_buffer[16];
uschar spam_bar_buffer[128];
uschar spam_action_buffer[32];
uschar spam_report_buffer[32600];
-uschar prev_user_name[128] = "";
+uschar * prev_user_name = NULL;
int spam_ok = 0;
int spam_rc = 0;
uschar *prev_spamd_address_work = NULL;
@@ -388,13 +388,12 @@ if (sd->is_rspamd)
}
else
{ /* spamassassin variant */
- (void)string_format(spamd_buffer,
- sizeof(spamd_buffer),
- "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n",
- user_name,
- mbox_size);
+ int n;
+ uschar * s = string_sprintf(
+ "REPORT SPAMC/1.2\r\nUser: %s\r\nContent-length: %ld\r\n\r\n%n",
+ user_name, mbox_size, &n);
/* send our request */
- wrote = send(spamd_cctx.sock, spamd_buffer, Ustrlen(spamd_buffer), 0);
+ wrote = send(spamd_cctx.sock, s, n, 0);
}
if (wrote == -1)
@@ -625,7 +624,7 @@ if (spamd_address_work != spamd_address)
prev_spamd_address_work = string_copy(spamd_address_work);
/* remember user name and "been here" for it */
-Ustrcpy(prev_user_name, user_name);
+prev_user_name = user_name;
spam_ok = 1;
return override
