From 539410bc9241afc004e89d3d35b32af1df46c195 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 29 Aug 2020 20:26:14 +0100 Subject: [PATCH] de-taint any passing belowhome --- doc/doc-docbook/spec.xfpt | 16 ++++++++++------ src/src/transports/appendfile.c | 4 ++-- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4a22b2e5f..e938703ee 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23025,7 +23025,11 @@ The option must be set to one of the words &"anywhere"&, &"inhome"&, or .wen In the second and third cases, a home directory must have been -set for the transport. This option is not useful when an explicit filename is +set for the transport, and the file or directory being created must +reside within it. +The "belowhome" checking additionally checks for attempts to use "../" +to evade the testing. +This option is not useful when an explicit filename is given for normal mailbox deliveries. It is intended for the case when filenames are generated from users' &_.forward_& files. These are usually handled by an &(appendfile)& transport called &%address_file%&. See also @@ -23035,12 +23039,12 @@ by an &(appendfile)& transport called &%address_file%&. See also In the fourth case, the value given for this option must be an absolute path for an existing directory. -The expansion of either the &%directory%& or &%file%& -option is checked for being a strict (possibly potential) descendant, -in the filesystem, of the value given. +The value is used for checking instead of a home directory; +checking is done in "belowhome" mode. + .cindex "tainted data" "de-tainting" -If the check passes then the path checked becomes de-tainted. -If the check fails then the transport returns failure. +If "belowhome" checking is used, the file or directory path +becomes de-tainted. .wen diff --git a/src/src/transports/appendfile.c b/src/src/transports/appendfile.c index 908fd8ad9..95857a53e 100644 --- a/src/src/transports/appendfile.c +++ b/src/src/transports/appendfile.c @@ -1337,7 +1337,7 @@ if (!isdirectory) /*XXX could we just de-taint on belowhome? */ if ( (allow_creation_here = check_creation(path, ob->create_file)) - && *ob->create_file_string == '/') + && ob->create_file == create_belowhome) if (is_tainted(path)) { DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path); @@ -2177,7 +2177,7 @@ else it, de-taint. Otherwise check for taint. */ if (is_tainted(path)) - if (*ob->create_file_string = '/') + if (ob->create_file == create_belowhome) { DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path); path = string_copy_taint(path, FALSE); -- 2.30.2