1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim maintainers 2020 - 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* This module contains code for extracting addresses from a forwarding list
10 (from an alias or forward file) or by running the filter interpreter. It may do
11 this in a sub-process if a uid/gid are supplied. */
16 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
18 #define REPLY_EXISTS 0x01
19 #define REPLY_EXPAND 0x02
20 #define REPLY_RETURN 0x04
23 /*************************************************
24 * Check string for filter program *
25 *************************************************/
27 /* This function checks whether a string is actually a filter program. The rule
28 is that it must start with "# Exim filter ..." (any capitalization, spaces
29 optional). It is envisaged that in future, other kinds of filter may be
30 implemented. That's why it is implemented the way it is. The function is global
31 because it is also called from filter.c when checking filters.
35 Returns: FILTER_EXIM if it starts with "# Exim filter"
36 FILTER_SIEVE if it starts with "# Sieve filter"
37 FILTER_FORWARD otherwise
40 /* This is an auxiliary function for matching a tag. */
43 match_tag(const uschar *s, const uschar *tag)
45 for (; *tag; s++, tag++)
48 while (*s == ' ' || *s == '\t') s++;
52 if (tolower(*s) != tolower(*tag)) break;
57 /* This is the real function. It should be easy to add checking different
58 tags for other types of filter. */
61 rda_is_filter(const uschar *s)
63 Uskip_whitespace(&s); /* Skips initial blank lines */
64 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
65 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
66 else return FILTER_FORWARD;
72 /*************************************************
73 * Check for existence of file *
74 *************************************************/
76 /* First of all, we stat the file. If this fails, we try to stat the enclosing
77 directory, because a file in an unmounted NFS directory will look the same as a
78 non-existent file. It seems that in Solaris 2.6, statting an entry in an
79 indirect map that is currently unmounted does not cause the mount to happen.
80 Instead, dummy data is returned, which defeats the whole point of this test.
81 However, if a stat() is done on some object inside the directory, such as the
82 "." back reference to itself, then the mount does occur. If an NFS host is
83 taken offline, it is possible for the stat() to get stuck until it comes back.
84 To guard against this, stick a timer round it. If we can't access the "."
85 inside the directory, try the plain directory, just in case that helps.
88 filename the file name
89 error for message on error
91 Returns: FILE_EXIST the file exists
92 FILE_NOT_EXIST the file does not exist
93 FILE_EXIST_UNCLEAR cannot determine existence
97 rda_exists(uschar *filename, uschar **error)
103 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
106 s = string_copy(filename);
107 sigalrm_seen = FALSE;
109 if (saved_errno == ENOENT)
111 uschar * slash = Ustrrchr(s, '/');
112 Ustrcpy(slash+1, US".");
115 rc = Ustat(s, &statbuf);
116 if (rc != 0 && errno == EACCES && !sigalrm_seen)
119 rc = Ustat(s, &statbuf);
124 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
127 if (sigalrm_seen || rc != 0)
129 *error = string_sprintf("failed to stat %s (%s)", s,
130 sigalrm_seen? "timeout" : strerror(saved_errno));
131 return FILE_EXIST_UNCLEAR;
134 *error = string_sprintf("%s does not exist", filename);
135 DEBUG(D_route) debug_printf("%s\n", *error);
136 return FILE_NOT_EXIST;
141 /*************************************************
142 * Get forwarding list from a file *
143 *************************************************/
145 /* Open a file and read its entire contents into a block of memory. Certain
146 opening errors are optionally treated the same as "file does not exist".
148 ENOTDIR means that something along the line is not a directory: there are
149 installations that set home directories to be /dev/null for non-login accounts
150 but in normal circumstances this indicates some kind of configuration error.
152 EACCES means there's a permissions failure. Some users turn off read permission
153 on a .forward file to suspend forwarding, but this is probably an error in any
154 kind of mailing list processing.
156 The redirect block that contains the file name also contains constraints such
157 as who may own the file, and mode bits that must not be set. This function is
160 rdata rdirect block, containing file name and constraints
161 options for the RDO_ENOTDIR and RDO_EACCES options
162 error where to put an error message
163 yield what to return from rda_interpret on error
165 Returns: pointer to string in store; NULL on error
169 rda_get_file_contents(const redirect_block *rdata, int options, uschar **error,
174 uschar *filename = rdata->string;
175 BOOL uid_ok = !rdata->check_owner;
176 BOOL gid_ok = !rdata->check_group;
179 /* Reading a file is a form of expansion; we wish to deny attackers the
180 capability to specify the file name. */
182 if ((*error = is_tainted2(filename, 0, "Tainted name '%s' for file read not permitted\n", filename)))
188 /* Attempt to open the file. If it appears not to exist, check up on the
189 containing directory by statting it. If the directory does not exist, we treat
190 this situation as an error (which will cause delivery to defer); otherwise we
191 pass back FF_NONEXIST, which causes the redirect router to decline.
193 However, if the ignore_enotdir option is set (to ignore "something on the
194 path is not a directory" errors), the right behaviour seems to be not to do the
197 if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
199 case ENOENT: /* File does not exist */
200 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
201 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
203 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
204 ? FF_NONEXIST : FF_ERROR;
207 case ENOTDIR: /* Something on the path isn't a directory */
208 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
209 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
210 "exist\n", filename);
211 *yield = FF_NONEXIST;
214 case EACCES: /* Permission denied */
215 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
216 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
217 "exist\n", filename);
218 *yield = FF_NONEXIST;
223 *error = string_open_failed("%s", filename);
228 /* Check that we have a regular file. */
230 if (fstat(fileno(fwd), &statbuf) != 0)
232 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
236 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
238 *error = string_sprintf("%s is not a regular file", filename);
242 /* Check for unwanted mode bits */
244 if ((statbuf.st_mode & rdata->modemask) != 0)
246 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
247 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
251 /* Check the file owner and file group if required to do so. */
254 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
256 else if (rdata->owners)
257 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
258 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
261 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
263 else if (rdata->owngroups)
264 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
265 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
267 if (!uid_ok || !gid_ok)
269 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
273 /* Put an upper limit on the size of the file, just to stop silly people
274 feeding in ridiculously large files, which can easily be created by making
275 files that have holes in them. */
277 if (statbuf.st_size > MAX_FILTER_SIZE)
279 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
283 /* Read the file in one go in order to minimize the time we have it open. */
285 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
287 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
289 *error = string_sprintf("error while reading %s: %s",
290 filename, strerror(errno));
293 filebuf[statbuf.st_size] = 0;
295 DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
296 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
301 /* Return an error: the string is already set up. */
311 /*************************************************
312 * Extract info from list or filter *
313 *************************************************/
315 /* This function calls the appropriate function to extract addresses from a
316 forwarding list, or to run a filter file and get addresses from there.
319 rdata the redirection block
320 options the options bits
321 include_directory restrain to this directory
322 sieve_vacation_directory passed to sieve_interpret
323 sieve_enotify_mailto_owner passed to sieve_interpret
324 sieve_useraddress passed to sieve_interpret
325 sieve_subaddress passed to sieve_interpret
326 generated where to hang generated addresses
327 error for error messages
328 eblockp for details of skipped syntax errors
330 filtertype set to the filter type:
331 FILTER_FORWARD => a traditional .forward file
332 FILTER_EXIM => an Exim filter file
333 FILTER_SIEVE => a Sieve filter file
334 a system filter is always forced to be FILTER_EXIM
336 Returns: a suitable return for rda_interpret()
340 rda_extract(const redirect_block * rdata, int options,
341 const uschar * include_directory, const uschar * sieve_vacation_directory,
342 const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
343 const uschar * sieve_subaddress, address_item ** generated, uschar ** error,
344 error_block ** eblockp, int * filtertype)
351 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
354 else data = rdata->string;
356 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
358 /* Filter interpretation is done by a general function that is also called from
359 the filter testing option (-bf). There are two versions: one for Exim filtering
360 and one for Sieve filtering. Several features of string expansion may be locked
361 out at sites that don't trust users. This is done by setting flags in
362 expand_forbid that the expander inspects. */
364 if (*filtertype != FILTER_FORWARD)
367 int old_expand_forbid = expand_forbid;
369 DEBUG(D_route) debug_printf("data is %s filter program\n",
370 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
372 /* RDO_FILTER is an "allow" bit */
374 if (!(options & RDO_FILTER))
376 *error = US"filtering not enabled";
381 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
383 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
385 if (*filtertype == FILTER_EXIM)
387 if ((options & RDO_EXIM_FILTER) != 0)
389 *error = US"Exim filtering not enabled";
392 frc = filter_interpret(data, options, generated, error);
396 if (options & RDO_SIEVE_FILTER)
398 *error = US"Sieve filtering not enabled";
401 frc = sieve_interpret(data, options, sieve_vacation_directory,
402 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
406 expand_forbid = old_expand_forbid;
410 /* Not a filter script */
412 DEBUG(D_route) debug_printf("file is not a filter file\n");
414 return parse_forward_list(data,
415 options, /* specials that are allowed */
416 generated, /* where to hang them */
417 error, /* for errors */
418 deliver_domain, /* to qualify \name */
419 include_directory, /* restrain to directory */
420 eblockp); /* for skipped syntax errors */
426 /*************************************************
427 * Write string down pipe *
428 *************************************************/
430 /* This function is used for transferring a string down a pipe between
431 processes. If the pointer is NULL, a length of zero is written.
437 Returns: -1 on error, else 0
441 rda_write_string(int fd, const uschar *s)
443 int len = s ? Ustrlen(s) + 1 : 0;
444 return ( write(fd, &len, sizeof(int)) != sizeof(int)
445 || (s && write(fd, s, len) != len)
452 /*************************************************
453 * Read string from pipe *
454 *************************************************/
456 /* This function is used for receiving a string from a pipe.
460 sp where to put the string
462 Returns: FALSE if data missing
466 rda_read_string(int fd, uschar **sp)
470 if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
474 /* We know we have enough memory so disable the error on "len" */
475 /* coverity[tainted_data] */
476 /* We trust the data source, so untainted */
477 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
483 /*************************************************
484 * Interpret forward list or filter *
485 *************************************************/
487 /* This function is passed a forward list string (unexpanded) or the name of a
488 file (unexpanded) whose contents are the forwarding list. The list may in fact
489 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
490 types of filter, with different initial tag strings, may be introduced in due
493 The job of the function is to process the forwarding list or filter. It is
494 pulled out into this separate function, because it is used for system filter
495 files as well as from the redirect router.
497 If the function is given a uid/gid, it runs a subprocess that passes the
498 results back via a pipe. This provides security for things like :include:s in
499 users' .forward files, and "logwrite" calls in users' filter files. A
500 sub-process is NOT used when:
502 . No uid/gid is provided
503 . The input is a string which is not a filter string, and does not contain
505 . The input is a file whose non-existence can be detected in the main
506 process (which is usually running as root).
509 rdata redirect data (file + constraints, or data string)
510 options options to pass to the extraction functions,
511 plus ENOTDIR and EACCES handling bits
512 include_directory restrain :include: to this directory
513 sieve_vacation_directory directory passed to sieve_interpret
514 sieve_enotify_mailto_owner passed to sieve_interpret
515 sieve_useraddress passed to sieve_interpret
516 sieve_subaddress passed to sieve_interpret
517 ugid uid/gid to run under - if NULL, no change
518 generated where to hang generated addresses, initially NULL
519 error pointer for error message
520 eblockp for skipped syntax errors; NULL if no skipping
521 filtertype set to the type of file:
522 FILTER_FORWARD => traditional .forward file
523 FILTER_EXIM => an Exim filter file
524 FILTER_SIEVE => a Sieve filter file
525 a system filter is always forced to be FILTER_EXIM
526 rname router name for error messages in the format
527 "xxx router" or "system filter"
529 Returns: values from extraction function, or FF_NONEXIST:
530 FF_DELIVERED success, a significant action was taken
531 FF_NOTDELIVERED success, no significant action
532 FF_BLACKHOLE :blackhole:
533 FF_DEFER defer requested
534 FF_FAIL fail requested
535 FF_INCLUDEFAIL some problem with :include:
536 FF_FREEZE freeze requested
537 FF_ERROR there was a problem
538 FF_NONEXIST the file does not exist
542 rda_interpret(redirect_block * rdata, int options,
543 const uschar * include_directory, const uschar * sieve_vacation_directory,
544 const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
545 const uschar * sieve_subaddress, const ugid_block * ugid, address_item ** generated,
546 uschar ** error, error_block ** eblockp, int * filtertype, const uschar * rname)
550 BOOL had_disaster = FALSE;
553 uschar *readerror = US"";
554 void (*oldsignal)(int);
556 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
557 rdata->isfile ? "file" : "string", string_printing(rdata->string));
559 /* Do the expansions of the file name or data first, while still privileged. */
561 if (!(data = expand_string(rdata->string)))
563 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
564 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
565 expand_string_message);
568 rdata->string = data;
571 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
573 if (rdata->isfile && data[0] != '/')
575 *error = string_sprintf("\"%s\" is not an absolute path", data);
579 /* If no uid/gid are supplied, or if we have a data string which does not start
580 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
581 work in this process. Note that for a system filter, we always have a file, so
582 the work is done in this process only if no user is supplied. */
584 if (!ugid->uid_set || /* Either there's no uid, or */
585 (!rdata->isfile && /* We've got the data, and */
586 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
587 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
588 return rda_extract(rdata, options, include_directory,
589 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
590 sieve_subaddress, generated, error, eblockp, filtertype);
592 /* We need to run the processing code in a sub-process. However, if we can
593 determine the non-existence of a file first, we can decline without having to
594 create the sub-process. */
596 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
599 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
600 we have to create the subprocess to do everything as the given user. The
601 results of processing are passed back via a pipe. */
604 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
605 ":include: failed for %s: %s", rname, strerror(errno));
607 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
608 process can be waited for. We sometimes get here with it set otherwise. Save
609 the old state for resetting on the wait. Ensure that all cached resources are
610 freed so that the subprocess starts with a clean slate and doesn't interfere
611 with the parent process. */
613 oldsignal = signal(SIGCHLD, SIG_DFL);
616 if ((pid = exim_fork(US"router-interpret")) == 0)
618 header_line *waslast = header_last; /* Save last header */
621 fd = pfd[pipe_write];
622 (void)close(pfd[pipe_read]);
624 if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
625 if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
627 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
629 /* Addresses can get rewritten in filters; if we are not root or the exim
630 user (and we probably are not), turn off rewrite logging, because we cannot
631 write to the log now. */
633 if (ugid->uid != root_uid && ugid->uid != exim_uid)
635 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
636 "root or exim in this process)\n");
637 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
640 /* Now do the business */
642 yield = rda_extract(rdata, options, include_directory,
643 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
644 sieve_subaddress, generated, error, eblockp, filtertype);
646 /* Pass back whether it was a filter, and the return code and any overall
647 error text via the pipe. */
649 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
650 || write(fd, &yield, sizeof(int)) != sizeof(int)
651 || rda_write_string(fd, *error) != 0
655 /* Pass back the contents of any syntax error blocks if we have a pointer */
659 for (error_block * ep = *eblockp; ep; ep = ep->next)
660 if ( rda_write_string(fd, ep->text1) != 0
661 || rda_write_string(fd, ep->text2) != 0
664 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
668 /* If this is a system filter, we have to pass back the numbers of any
669 original header lines that were removed, and then any header lines that were
670 added but not subsequently removed. */
672 if (f.system_filtering)
675 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
676 if ( h->type == htype_old
677 && write(fd, &i, sizeof(i)) != sizeof(i)
682 if (write(fd, &i, sizeof(i)) != sizeof(i))
685 while (waslast != header_last)
687 waslast = waslast->next;
688 if (waslast->type != htype_old)
689 if ( rda_write_string(fd, waslast->text) != 0
690 || write(fd, &(waslast->type), sizeof(waslast->type))
691 != sizeof(waslast->type)
695 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
699 /* Write the contents of the $n variables */
701 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
704 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
705 addresses, and their associated information, through the pipe. This is
706 just tedious, but it seems to be the only safe way. We do this also for
707 FAIL and FREEZE, because a filter is allowed to set up deliveries that
708 are honoured before freezing or failing. */
710 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
711 yield == FF_FAIL || yield == FF_FREEZE)
713 for (address_item * addr = *generated; addr; addr = addr->next)
715 int reply_options = 0;
716 int ig_err = addr->prop.ignore_error ? 1 : 0;
718 if ( rda_write_string(fd, addr->address) != 0
719 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
720 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
721 || rda_write_string(fd, addr->prop.errors_address) != 0
722 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
726 if (addr->pipe_expandn)
727 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
728 if (rda_write_string(fd, *pp) != 0)
730 if (rda_write_string(fd, NULL) != 0)
735 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
740 reply_options |= REPLY_EXISTS;
741 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
742 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
743 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
744 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
746 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
748 || rda_write_string(fd, addr->reply->to) != 0
749 || rda_write_string(fd, addr->reply->cc) != 0
750 || rda_write_string(fd, addr->reply->bcc) != 0
751 || rda_write_string(fd, addr->reply->from) != 0
752 || rda_write_string(fd, addr->reply->reply_to) != 0
753 || rda_write_string(fd, addr->reply->subject) != 0
754 || rda_write_string(fd, addr->reply->headers) != 0
755 || rda_write_string(fd, addr->reply->text) != 0
756 || rda_write_string(fd, addr->reply->file) != 0
757 || rda_write_string(fd, addr->reply->logfile) != 0
758 || rda_write_string(fd, addr->reply->oncelog) != 0
764 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
768 /* OK, this process is now done. Free any cached resources. Must use _exit()
774 exim_underbar_exit(EXIT_SUCCESS);
777 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
781 /* Back in the main process: panic if the fork did not succeed. */
784 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
786 /* Read the pipe to get the data from the filter/forward. Our copy of the
787 writing end must be closed first, as otherwise read() won't return zero on an
788 empty pipe. Afterwards, close the reading end. */
790 (void)close(pfd[pipe_write]);
792 /* Read initial data, including yield and contents of *error */
795 if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
796 read(fd, &yield, sizeof(int)) != sizeof(int) ||
797 !rda_read_string(fd, error)) goto DISASTER;
799 /* Read the contents of any syntax error blocks if we have a pointer */
804 for (error_block ** p = eblockp; ; p = &e->next)
807 if (!rda_read_string(fd, &s)) goto DISASTER;
809 e = store_get(sizeof(error_block), FALSE);
812 if (!rda_read_string(fd, &s)) goto DISASTER;
818 /* If this is a system filter, read the identify of any original header lines
819 that were removed, and then read data for any new ones that were added. */
821 if (f.system_filtering)
824 header_line *h = header_list;
829 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
834 if (!(h = h->next)) goto DISASTER_NO_HEADER;
843 if (!rda_read_string(fd, &s)) goto DISASTER;
845 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
846 header_add(type, "%s", s);
850 /* Read the values of the $n variables */
852 if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
854 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
855 addresses and data to go with them. Keep them in the same order in the
858 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
859 yield == FF_FAIL || yield == FF_FREEZE)
861 address_item **nextp = generated;
865 int i, reply_options;
868 uschar *expandn[EXPAND_MAXN + 2];
870 /* First string is the address; NULL => end of addresses */
872 if (!rda_read_string(fd, &recipient)) goto DISASTER;
873 if (!recipient) break;
875 /* Hang on the end of the chain */
877 addr = deliver_make_addr(recipient, FALSE);
879 nextp = &(addr->next);
881 /* Next comes the mode and the flags fields */
883 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
884 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
885 || !rda_read_string(fd, &addr->prop.errors_address)
886 || read(fd, &i, sizeof(i)) != sizeof(i)
889 addr->prop.ignore_error = (i != 0);
891 /* Next comes a possible setting for $thisaddress and any numerical
892 variables for pipe expansion, terminated by a NULL string. The maximum
893 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
894 into the zeroth item in the vector - this is sorted out inside the pipe
897 for (i = 0; i < EXPAND_MAXN + 1; i++)
900 if (!rda_read_string(fd, &temp)) goto DISASTER;
901 if (i == 0) filter_thisaddress = temp; /* Just in case */
903 if (temp == NULL) break;
908 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
909 addr->pipe_expandn[i] = NULL;
910 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
913 /* Then an int containing reply options; zero => no reply data. */
915 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
916 if ((reply_options & REPLY_EXISTS) != 0)
918 addr->reply = store_get(sizeof(reply_item), FALSE);
920 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
921 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
923 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
925 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
927 !rda_read_string(fd, &addr->reply->to) ||
928 !rda_read_string(fd, &addr->reply->cc) ||
929 !rda_read_string(fd, &addr->reply->bcc) ||
930 !rda_read_string(fd, &addr->reply->from) ||
931 !rda_read_string(fd, &addr->reply->reply_to) ||
932 !rda_read_string(fd, &addr->reply->subject) ||
933 !rda_read_string(fd, &addr->reply->headers) ||
934 !rda_read_string(fd, &addr->reply->text) ||
935 !rda_read_string(fd, &addr->reply->file) ||
936 !rda_read_string(fd, &addr->reply->logfile) ||
937 !rda_read_string(fd, &addr->reply->oncelog))
943 /* All data has been transferred from the sub-process. Reap it, close the
944 reading end of the pipe, and we are done. */
947 while ((rc = wait(&status)) != pid)
948 if (rc < 0 && errno == ECHILD) /* Process has vanished */
950 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
955 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
959 *error = string_sprintf("internal problem in %s: failure to transfer "
960 "data from subprocess: status=%04x%s%s%s", rname,
962 *error ? US": error=" : US"",
963 *error ? *error : US"");
964 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
966 else if (status != 0)
967 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
968 "%04x from redirect subprocess (but data correctly received)", rname,
973 signal(SIGCHLD, oldsignal); /* restore */
977 /* Come here if the data indicates removal of a header that we can't find */
980 readerror = US" readerror=bad header identifier";
985 /* Come here is there's a shambles in transferring the data over the pipe. The
986 value of errno should still be set. */
989 readerror = string_sprintf(" readerror='%s'", strerror(errno));