[exim-cvs] Fix ${listextract } from a tainted list

Startseite
Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
 
 
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] Fix ${listextract } from a tainted list
Gitweb: https://git.exim.org/exim.git/commitdiff/942f0be6c2cd3ec8c39ca234a449561d9d3c1075
Commit:     942f0be6c2cd3ec8c39ca234a449561d9d3c1075
Parent:     94ecf089d68ac5b85c2a99177a8e4b4d35d5aa2e
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Dec 23 22:35:04 2020 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Dec 24 00:16:30 2020 +0000


    Fix ${listextract } from a tainted list
---
 doc/doc-txt/ChangeLog        | 3 +++
 src/src/expand.c             | 7 ++++---
 test/scripts/0000-Basic/0002 | 4 ++++
 test/stdout/0002             | 2 ++
 4 files changed, 13 insertions(+), 3 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 396ec33..c0f8312 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -159,6 +159,9 @@ JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
 JH/32 Bug 2599: fix delay of delivery to a local address where there is also
       a remote which uses callout/hold.  Previously the local was queued.


+JH/33 Fix a taint trap in the ${listextract } expansion when the source data
+      was tainted.
+


Exim version 4.94
-----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index 21758d8..839821e 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -1298,15 +1298,16 @@ expand_getlistele(int field, const uschar * list)
{
const uschar * tlist = list;
int sep = 0;
-uschar dummy;
+/* Tainted mem for the throwaway element copies */
+uschar * dummy = store_get(2, TRUE);

if (field < 0)
{
- for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
+ for (field++; string_nextinlist(&tlist, &sep, dummy, 1); ) field++;
sep = 0;
}
if (field == 0) return NULL;
-while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
+while (--field > 0 && (string_nextinlist(&list, &sep, dummy, 1))) ;
return string_nextinlist(&list, &sep, NULL, 0);
}

diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002
index 70b4e5f..5101be4 100644
--- a/test/scripts/0000-Basic/0002
+++ b/test/scripts/0000-Basic/0002
@@ -1107,3 +1107,7 @@ exim -be
${if inlist{aa}{aa} {in list}{not in list}}
${if !inlist{aa}{aa} {not in list}{in list}}
****
+# listextract from tainted list
+exim -be -oMs my.target.host.name
+'\${listextract {2} {<. $sender_host_name}}' => '${listextract {2} {<. $sender_host_name}}'
+****
diff --git a/test/stdout/0002 b/test/stdout/0002
index 02ba087..b55571c 100644
--- a/test/stdout/0002
+++ b/test/stdout/0002
@@ -1034,3 +1034,5 @@ xyz
> in list
> in list
>
+> '${listextract {2} {<. my.target.host.name}}' => 'target'
+>

Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
exim-cvs
Mailing-List-Info | Nachrichten um die Zeit		<-[exim-cvs] Fix local delivery delay when combined with remote callout/hold. Bug 2599[exim-cvs] Convert more cases of list-walking to use self-assigned memory for the list-item->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)