Gitweb:
https://git.exim.org/exim.git/commitdiff/40b8be2e25abb7569a05c839f5d0ab6176307a75
Commit: 40b8be2e25abb7569a05c839f5d0ab6176307a75
Parent: 5dad84609e49ce4c45d29ccb98b1b7b1f296d69e
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Sat Nov 21 22:41:28 2020 +0100
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:36 2021 +0200
SECURITY: Fix safeguard against upward traversal in msglog files.
Credits: Qualys
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
(cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)
---
doc/doc-txt/ChangeLog | 2 ++
src/src/deliver.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0e008c9..313dcbf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion.
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
+HS/03 Die on "/../" in msglog file names
+
Exim version 4.94
-----------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index ba2948d..cf8ab09 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -334,7 +334,7 @@ static int
open_msglog_file(uschar *filename, int mode, uschar **error)
{
if (Ustrstr(filename, US"/../"))
- log_write(0, LOG_MAIN|LOG_PANIC,
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
for (int i = 2; i > 0; i--)
