[exim-cvs] Taint: enforce untainted ACL text line

Gitweb: https://git.exim.org/exim.git/commitdiff/82fecf8fd8f749abfc538a06d9eefc7119e014ae

Commit:     82fecf8fd8f749abfc538a06d9eefc7119e014ae
Parent:     b9ab1e966ed95017bd6fc45acd04e09ec0c128ed
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 25 13:02:01 2021 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 25 21:40:07 2021 +0100

    Taint: enforce untainted ACL text line
---
 doc/doc-txt/ChangeLog |  4 ++++
 src/src/acl.c         | 28 ++++++++++++++++++++--------
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 916a4c4..68cec85 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -241,6 +241,10 @@ JH/50 Bug 2672: QT elements in log lines, unless disabled, now exclude the
       The historical behaviour can be restored by disabling (a new) log_selector
       "queue_time_exclusive".

+JH/51 Taint-check ACL line.  Previously, only filenames (for out-of-line ACL
+      content) were specifically tested for.  Now, also cover epxansions
+      rerulting in acl names and inline ACL content.
+

Exim version 4.94
diff --git a/src/src/acl.c b/src/src/acl.c
index 2f20821..ce8d218 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -4088,6 +4088,26 @@ while (isspace(*ss)) ss++;

acl_text = ss;

+#ifdef notyet_taintwarn
+if (  !f.running_in_test_harness
+   &&  is_tainted2(acl_text, LOG_MAIN|LOG_PANIC,
+              "attempt to use tainted ACL text \"%s\"", acl_text))
+  {
+  /* Avoid leaking info to an attacker */
+  *log_msgptr = US"internal configuration error";
+  return ERROR;
+  }
+#else
+if (is_tainted(acl_text) && !f.running_in_test_harness)
+  {
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "attempt to use tainted ACL text \"%s\"", acl_text);
+  /* Avoid leaking info to an attacker */
+  *log_msgptr = US"internal configuration error";
+  return ERROR;
+  }
+#endi
+
 /* Handle the case of a string that does not contain any spaces. Look for a
 named ACL among those read from the configuration, or a previously read file.
 It is possible that the pointer to the ACL is NULL if the configuration
@@ -4111,14 +4131,6 @@ if (Ustrchr(ss, ' ') == NULL)
   else if (*ss == '/')
     {
     struct stat statbuf;
-    if (is_tainted(ss))
-      {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-    "attempt to open tainted ACL file name \"%s\"", ss);
-      /* Avoid leaking info to an attacker */
-      *log_msgptr = US"internal configuration error";
-      return ERROR;
-      }
     if ((fd = Uopen(ss, O_RDONLY, 0)) < 0)
       {
       *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,