.wen
In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit filename is
+set for the transport, and the file or directory being created must
+reside within it.
+The "belowhome" checking additionally checks for attempts to use "../"
+to evade the testing.
+This option is not useful when an explicit filename is
given for normal mailbox deliveries. It is intended for the case when filenames
are generated from users' &_.forward_& files. These are usually handled
by an &(appendfile)& transport called &%address_file%&. See also
In the fourth case,
the value given for this option must be an absolute path for an
existing directory.
-The expansion of either the &%directory%& or &%file%&
-option is checked for being a strict (possibly potential) descendant,
-in the filesystem, of the value given.
+The value is used for checking instead of a home directory;
+checking is done in "belowhome" mode.
+
.cindex "tainted data" "de-tainting"
-If the check passes then the path checked becomes de-tainted.
-If the check fails then the transport returns failure.
+If "belowhome" checking is used, the file or directory path
+becomes de-tainted.
.wen
/*XXX could we just de-taint on belowhome? */
if ( (allow_creation_here = check_creation(path, ob->create_file))
- && *ob->create_file_string == '/')
+ && ob->create_file == create_belowhome)
if (is_tainted(path))
{
DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
it, de-taint. Otherwise check for taint. */
if (is_tainted(path))
- if (*ob->create_file_string = '/')
+ if (ob->create_file == create_belowhome)
{
DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
path = string_copy_taint(path, FALSE);