[exim-cvs] SECURITY: Fix safeguard against upward traversal …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] SECURITY: Fix safeguard against upward traversal in msglog files.
Gitweb: https://git.exim.org/exim.git/commitdiff/40b8be2e25abb7569a05c839f5d0ab6176307a75
Commit:     40b8be2e25abb7569a05c839f5d0ab6176307a75
Parent:     5dad84609e49ce4c45d29ccb98b1b7b1f296d69e
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Sat Nov 21 22:41:28 2020 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:36 2021 +0200


    SECURITY: Fix safeguard against upward traversal in msglog files.


    Credits: Qualys


        3/ In src/deliver.c:


         333 static int
         334 open_msglog_file(uschar *filename, int mode, uschar **error)
         335 {
         336 if (Ustrstr(filename, US"/../"))
         337   log_write(0, LOG_MAIN|LOG_PANIC,
         338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);


        Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
        the /../ attempt but will open the file anyway.


    (cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
    (cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)
---
 doc/doc-txt/ChangeLog | 2 ++
 src/src/deliver.c     | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0e008c9..313dcbf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion.
       mode until after various protocol state checks.
       Fixes CVE-2020-BDATA reported by Qualys.


+HS/03 Die on "/../" in msglog file names
+

 Exim version 4.94
 -----------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index ba2948d..cf8ab09 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -334,7 +334,7 @@ static int
 open_msglog_file(uschar *filename, int mode, uschar **error)
 {
 if (Ustrstr(filename, US"/../"))
-  log_write(0, LOG_MAIN|LOG_PANIC,
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);


for (int i = 2; i > 0; i--)