[exim-cvs] AUTH: avoid logging creds on ACL denial

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] AUTH: avoid logging creds on ACL denial
Gitweb: https://git.exim.org/exim.git/commitdiff/37a81ae7317bb78b2ff152821930c2ff0873512b
Commit:     37a81ae7317bb78b2ff152821930c2ff0873512b
Parent:     8d7e00e408df4d92c37caabbfd68cdc75ebd2dfb
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Jan 25 14:55:06 2021 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 25 14:55:06 2021 +0000


    AUTH: avoid logging creds on ACL denial
---
 doc/doc-txt/ChangeLog |  4 +++
 src/src/smtp_in.c     | 68 ++++++++++++++++++++++++++++++---------------------
 test/log/3450         |  2 +-
 test/log/3460         |  2 +-
 test/rejectlog/3450   |  2 +-
 test/rejectlog/3460   |  2 +-
 6 files changed, 48 insertions(+), 32 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e1381c1..b209912 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -180,6 +180,10 @@ JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
 JH/37 Enforce the expected size, for fixed-size records read from hints-DB
       files.  For bad sizes read, delete the record and whine to paniclog.


+JH/38 When logging an AUTH failure, as server, do not include sensitive
+      information. Previously, the credentials would be included if given
+      as part of the AUTH command line and an ACL denied authentidcation.
+



 Exim version 4.94
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 0467b22..14dd114 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3279,18 +3279,7 @@ int codelen = 3;
 uschar *smtp_code;
 uschar *lognl;
 uschar *sender_info = US"";
-uschar *what =
-#ifdef WITH_CONTENT_SCAN
-  where == ACL_WHERE_MIME ? US"during MIME ACL checks" :
-#endif
-  where == ACL_WHERE_PREDATA ? US"DATA" :
-  where == ACL_WHERE_DATA ? US"after DATA" :
-#ifndef DISABLE_PRDR
-  where == ACL_WHERE_PRDR ? US"after DATA PRDR" :
-#endif
-  smtp_cmd_data ?
-    string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data) :
-    string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]);
+uschar *what;


if (drop) rc = FAIL;

@@ -3306,19 +3295,45 @@ fixed, sender_address at this point became the rewritten address. I'm not sure
this is what should be logged, so I've changed to logging the unrewritten
address to retain backward compatibility. */

-#ifndef WITH_CONTENT_SCAN
-if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
-#else
-if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
+switch (where)
+  {
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:        what = US"during MIME ACL checks";    break;
+#endif
+  case ACL_WHERE_PREDATA:    what = US"DATA";            break;
+  case ACL_WHERE_DATA:        what = US"after DATA";            break;
+#ifndef DISABLE_PRDR
+  case ACL_WHERE_PRDR:        what = US"after DATA PRDR";        break;
 #endif
+  default:
+    {
+    uschar * place = smtp_cmd_data ? smtp_cmd_data : US"in \"connect\" ACL";
+    int lim = 100;
+
+    if (where == ACL_WHERE_AUTH)    /* avoid logging auth creds */
+      {
+      uschar * s;
+      for (s = smtp_cmd_data; *s && !isspace(*s); ) s++;
+      lim = s - smtp_cmd_data;    /* atop after method */
+      }
+    what = string_sprintf("%s %.*s", acl_wherenames[where], lim, place);
+    }
+  }
+switch (where)
   {
-  sender_info = string_sprintf("F=<%s>%s%s%s%s ",
-    sender_address_unrewritten ? sender_address_unrewritten : sender_address,
-    sender_host_authenticated ? US" A="                                    : US"",
-    sender_host_authenticated ? sender_host_authenticated                  : US"",
-    sender_host_authenticated && authenticated_id ? US":"                  : US"",
-    sender_host_authenticated && authenticated_id ? authenticated_id       : US""
-    );
+  case ACL_WHERE_RCPT:
+  case ACL_WHERE_DATA:
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:
+#endif
+    sender_info = string_sprintf("F=<%s>%s%s%s%s ",
+      sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+      sender_host_authenticated ? US" A="                                    : US"",
+      sender_host_authenticated ? sender_host_authenticated                  : US"",
+      sender_host_authenticated && authenticated_id ? US":"                  : US"",
+      sender_host_authenticated && authenticated_id ? authenticated_id       : US""
+      );
+  break;
   }


 /* If there's been a sender verification failure with a specific message, and
@@ -4035,21 +4050,18 @@ while (done <= 0)
       /* Find the name of the requested authentication mechanism. */


       s = smtp_cmd_data;
-      while ((c = *smtp_cmd_data) != 0 && !isspace(c))
-    {
+      for (; (c = *smtp_cmd_data) && !isspace(c); smtp_cmd_data++)
     if (!isalnum(c) && c != '-' && c != '_')
       {
       done = synprot_error(L_smtp_syntax_error, 501, NULL,
         US"invalid character in authentication mechanism name");
       goto COMMAND_LOOP;
       }
-    smtp_cmd_data++;
-    }


       /* If not at the end of the line, we must be at white space. Terminate the
       name and move the pointer on to any data that may be present. */


-      if (*smtp_cmd_data != 0)
+      if (*smtp_cmd_data)
     {
     *smtp_cmd_data++ = 0;
     while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
diff --git a/test/log/3450 b/test/log/3450
index 3fcb043..5f2fe42 100644
--- a/test/log/3450
+++ b/test/log/3450
@@ -1,4 +1,4 @@


******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH
diff --git a/test/log/3460 b/test/log/3460
index 3fcb043..5f2fe42 100644
--- a/test/log/3460
+++ b/test/log/3460
@@ -1,4 +1,4 @@

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH
diff --git a/test/rejectlog/3450 b/test/rejectlog/3450
index b2fa6d6..8800868 100644
--- a/test/rejectlog/3450
+++ b/test/rejectlog/3450
@@ -1,3 +1,3 @@

******** SERVER ********
-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH
diff --git a/test/rejectlog/3460 b/test/rejectlog/3460
index b2fa6d6..8800868 100644
--- a/test/rejectlog/3460
+++ b/test/rejectlog/3460
@@ -1,3 +1,3 @@

******** SERVER ********
-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH