Avoid exposing passwords in log, on failing ldap lookup expansion. Bug 165

[exim.git] / src / src / rewrite.c

diff --git a/src/src/rewrite.c b/src/src/rewrite.c
index 296fe8c6b8bb47fc337c195b265b60d6300ca89f..f2a7ff273ae859e88950a6c44f9dc34bf92590b9 100644 (file)
--- a/src/src/rewrite.c
+++ b/src/src/rewrite.c
@@ -205,6 +205,24 @@ for (rule = rewrite_rules;
     {
     if (expand_string_forcedfail)
       { if ((rule->flags & rewrite_quit) != 0) break; else continue; }
+
+    /* Avoid potentially exposing a password */
+
+    if (  (  Ustrstr(expand_string_message, "failed to expand") != NULL
+         || Ustrstr(expand_string_message, "expansion of ")    != NULL
+         )
+       && (  Ustrstr(expand_string_message, "mysql")   != NULL
+         || Ustrstr(expand_string_message, "pgsql")   != NULL
+         || Ustrstr(expand_string_message, "redis")   != NULL
+         || Ustrstr(expand_string_message, "sqlite")  != NULL
+         || Ustrstr(expand_string_message, "ldap:")   != NULL
+         || Ustrstr(expand_string_message, "ldaps:")  != NULL
+         || Ustrstr(expand_string_message, "ldapi:")  != NULL
+         || Ustrstr(expand_string_message, "ldapdn:") != NULL
+         || Ustrstr(expand_string_message, "ldapm:")  != NULL
+       )  )
+      expand_string_message = US"Temporary internal error";
+
     log_write(0, LOG_MAIN|LOG_PANIC, "Expansion of %s failed while rewriting: "
       "%s", rule->replacement, expand_string_message);
     break;
@@ -247,8 +265,7 @@ for (rule = rewrite_rules;
 
   /* We have a validly rewritten address */
 
-  if ((log_write_selector & L_address_rewrite) != 0 ||
-      (debug_selector & D_rewrite) != 0)
+  if (LOGGING(address_rewrite) || (debug_selector & D_rewrite) != 0)
     {
     int i;
     const uschar *where = CUS"?";