Gitweb:
https://git.exim.org/exim.git/commitdiff/a9ac2d7fc219e41a353abf1f599258b9b9d21b7e
Commit: a9ac2d7fc219e41a353abf1f599258b9b9d21b7e
Parent: f517c5879577b17586548fd4ba70ce9cfb862369
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Jul 7 22:19:07 2021 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Jul 7 22:23:03 2021 +0100
Fix tainted message for fakereject
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/acl.c | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cc589c5..dc9d9d8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -320,6 +320,10 @@ JH/56 Make the majority of info read from config files readonly, for defence-in-
depth against exploits. Suggestion by Qualsy.
Not supported on Solaris 10.
+JH/57 Fix control=fakreject for a custom message containing tainted data.
+ Previously this resulted in a log complaint, due to a re-expansion present
+ since fakereject was originally introduced.
+
Exim version 4.94
-----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 1bf1187..89947f4 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3235,13 +3235,15 @@ for (; cb; cb = cb->next)
case CONTROL_FAKEREJECT:
cancel_cutthrough_connection(TRUE, US"fakereject");
- case CONTROL_FAKEDEFER:
+ case CONTROL_FAKEDEFER:
fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
if (*p == '/')
{
const uschar *pp = p + 1;
while (*pp) pp++;
- fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
+ /* The entire control= line was expanded at top so no need to expand
+ the part after the / */
+ fake_response_text = string_copyn(p+1, pp-p-1);
p = pp;
}
else /* Explicitly reset to default string */
