[exim-cvs] Testsuite: testcase for "smtp smuggling". Bug 30…

Gitweb: https://git.exim.org/exim.git/commitdiff/f78e417c3c2e7348ce58bb03efc7343bb6d32383

Commit:     f78e417c3c2e7348ce58bb03efc7343bb6d32383
Parent:     5bb786d5ad568a88d50d15452aacc8404047e5ca
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Dec 25 16:50:23 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Dec 25 18:34:40 2023 +0000

    Testsuite: testcase for "smtp smuggling".  Bug 3063
    Also remove the unneeded sync point added in cf1376206284
---
 doc/doc-txt/ChangeLog        |  5 +----
 src/src/smtp_in.c            |  3 ---
 test/log/0900                |  1 +
 test/scripts/0000-Basic/0900 | 33 +++++++++++++++++++++++++++++++++
 test/stdout/0900             | 44 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 79 insertions(+), 7 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 56b0aca9b..a7b8b68c7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -58,10 +58,7 @@ JH/11 Bug 3046: Fix queue-runs.  Previously, the arrivel of a notification or
       the latter being missed, and no further queue scheduled runs being
       initiated.  This ouwld be more likely on high-load systems.

-JH/12 Enforce a data synch check before emitting the 354 "go ahead".  Previously
-      this was only done if a pre-data ACL was configured.
-
-JH/13 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
       LF-only mode (as detected from the first header line).  Previously we did
       accept that in (normal) CRLF mode; this has been raised as a possible
       attack scenario (under the name "smtp smuggling").
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index aeaffeb37..541288301 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5113,10 +5113,7 @@ while (done <= 0)
     dummy call to get the DATA command sent. */

     if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
-      {
-      if (!check_sync()) goto SYNC_FAILURE;
       rc = OK;
-      }
     else
       {
       uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
diff --git a/test/log/0900 b/test/log/0900
index 00d13e443..a7852da37 100644
--- a/test/log/0900
+++ b/test/log/0900
@@ -16,3 +16,4 @@
 2017-07-30 18:51:05.712 10HmbG-000000005vi-0000 <= some6ne@??? H=(tester) [127.0.0.1] Ci=p1243 P=esmtp K S=sss for CALLER@???
 2017-07-30 18:51:05.712 rejected from <someone@???> H=(tester) [127.0.0.1]: Non-CRLF-terminated header, under CHUNKING: message abandoned
 2017-07-30 18:51:05.712 10HmbH-000000005vi-0000 <= someone@??? H=(tester) [127.0.0.1] Ci=p1244 P=esmtp K S=sss for CALLER@???
+2017-07-30 18:51:05.712 10HmbI-000000005vi-0000 <= legit@??? H=(smuggler) [127.0.0.1] Ci=p1245 P=esmtp S=sss for CALLER@???
diff --git a/test/scripts/0000-Basic/0900 b/test/scripts/0000-Basic/0900
index 4edc82952..9e293c6aa 100644
--- a/test/scripts/0000-Basic/0900
+++ b/test/scripts/0000-Basic/0900
@@ -373,6 +373,39 @@ quit
 ??? 221
 ****
 #
+# Test for smtp-smuggling.  Accepting only one message is good; two is bad.
+client 127.0.0.1 PORT_D
+??? 220
+ehlo smuggler
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-CHUNKING
+??? 250 HELP
+MAIL FROM:<legit@???>
+??? 250
+RCPT TO:<CALLER@???>
+??? 250
+DATA
+??? 354
+Subject: test of smuggled smtp
+
+This is body for initial message
+The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+mail from:<smuggler@y>
+rcpt to:<CALLER@???>
+bdat 86 last
+Subject: send me all your money!
+
+All your bases are belong to us.  Send Bitcoins.
+QUIT
+.
+??? 250
+QUIT
+??? 221
+****
 #
 killdaemon
 no_msglog_check
diff --git a/test/stdout/0900 b/test/stdout/0900
index 9fe0eb7de..a5b8d91f8 100644
--- a/test/stdout/0900
+++ b/test/stdout/0900
@@ -528,3 +528,47 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 221
 <<< 221 testhost.test.ex closing connection
 End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 testhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo smuggler
+??? 250-
+<<< 250-testhost.test.ex Hello smuggler [127.0.0.1]
+??? 250-SIZE
+<<< 250-SIZE 52428800
+??? 250-8BITMIME
+<<< 250-8BITMIME
+??? 250-PIPELINING
+<<< 250-PIPELINING
+??? 250-CHUNKING
+<<< 250-CHUNKING
+??? 250 HELP
+<<< 250 HELP
+>>> MAIL FROM:<legit@???>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test of smuggled smtp
+>>> 
+>>> This is body for initial message
+>>> The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+>>> mail from:<smuggler@y>
+>>> rcpt to:<CALLER@???>
+>>> bdat 86 last
+>>> Subject: send me all your money!
+>>> 
+>>> All your bases are belong to us.  Send Bitcoins.
+>>> QUIT
+>>> .
+??? 250
+<<< 250 OK id=10HmbI-000000005vi-0000
+>>> QUIT
+??? 221
+<<< 221 testhost.test.ex closing connection
+End of script

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/