Gitweb:
https://git.exim.org/exim.git/commitdiff/bc2767e61d9d31d2fb05078b0214d84d5e68d23d
Commit: bc2767e61d9d31d2fb05078b0214d84d5e68d23d
Parent: 44a16f3a2720c33e8d1500fd2812ef91018c8a2c
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Sep 1 16:17:42 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue Sep 1 16:17:42 2020 +0100
ARC: Add basic error-checking on permitted chars in admd & sel for signing. Bug 2639
---
src/src/arc.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/src/arc.c b/src/src/arc.c
index 391af07..0617312 100644
--- a/src/src/arc.c
+++ b/src/src/arc.c
@@ -1557,6 +1557,23 @@ return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE);
+/* Per RFCs 6376, 7489 the only allowed chars in either an ADMD id
+or a selector are ALPHA/DIGGIT/'-'/'.'
+
+Check, to help catch misconfigurations such as a missing selector
+element in the arc_sign list.
+*/
+
+static BOOL
+arc_valid_id(const uschar * s)
+{
+for (uschar c; c = *s++; )
+ if (!isalnum(c) && c != '-' && c != '.') return FALSE;
+return TRUE;
+}
+
+
+
/* ARC signing. Called from the smtp transport, if the arc_sign option is set.
The dkim_exim_sign() function has already been called, so will have hashed the
message body for us so long as we requested a hash previously.
@@ -1595,10 +1612,13 @@ selector = string_nextinlist(&signspec, &sep, NULL, 0);
if ( !*identity || !*selector
|| !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
{
- log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
- !*identity ? "identity" : !*selector ? "selector" : "private-key");
- return sigheaders ? sigheaders : string_get(0);
+ s = !*identity ? US"identity" : !*selector ? US"selector" : US"private-key";
+ goto bad_arg_ret;
}
+if (!arc_valid_id(identity))
+ { s = US"identity"; goto bad_arg_ret; }
+if (!arc_valid_id(selector))
+ { s = US"selector"; goto bad_arg_ret; }
if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
return sigheaders ? sigheaders : string_get(0);
@@ -1718,6 +1738,11 @@ if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr);
(void) string_from_gstring(g);
gstring_release_unused(g);
return g;
+
+
+bad_arg_ret:
+ log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", s);
+ return sigheaders ? sigheaders : string_get(0);
}