1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* This module contains code for extracting addresses from a forwarding list
11 (from an alias or forward file) or by running the filter interpreter. It may do
12 this in a sub-process if a uid/gid are supplied. */
17 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
19 #define REPLY_EXISTS 0x01
20 #define REPLY_EXPAND 0x02
21 #define REPLY_RETURN 0x04
24 /*************************************************
25 * Check string for filter program *
26 *************************************************/
28 /* This function checks whether a string is actually a filter program. The rule
29 is that it must start with "# Exim filter ..." (any capitalization, spaces
30 optional). It is envisaged that in future, other kinds of filter may be
31 implemented. That's why it is implemented the way it is. The function is global
32 because it is also called from filter.c when checking filters.
36 Returns: FILTER_EXIM if it starts with "# Exim filter"
37 FILTER_SIEVE if it starts with "# Sieve filter"
38 FILTER_FORWARD otherwise
41 /* This is an auxiliary function for matching a tag. */
44 match_tag(const uschar *s, const uschar *tag)
46 for (; *tag; s++, tag++)
49 while (*s == ' ' || *s == '\t') s++;
53 if (tolower(*s) != tolower(*tag)) break;
58 /* This is the real function. It should be easy to add checking different
59 tags for other types of filter. */
62 rda_is_filter(const uschar *s)
64 Uskip_whitespace(&s); /* Skips initial blank lines */
65 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
66 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
67 else return FILTER_FORWARD;
73 /*************************************************
74 * Check for existence of file *
75 *************************************************/
77 /* First of all, we stat the file. If this fails, we try to stat the enclosing
78 directory, because a file in an unmounted NFS directory will look the same as a
79 non-existent file. It seems that in Solaris 2.6, statting an entry in an
80 indirect map that is currently unmounted does not cause the mount to happen.
81 Instead, dummy data is returned, which defeats the whole point of this test.
82 However, if a stat() is done on some object inside the directory, such as the
83 "." back reference to itself, then the mount does occur. If an NFS host is
84 taken offline, it is possible for the stat() to get stuck until it comes back.
85 To guard against this, stick a timer round it. If we can't access the "."
86 inside the directory, try the plain directory, just in case that helps.
89 filename the file name
90 error for message on error
92 Returns: FILE_EXIST the file exists
93 FILE_NOT_EXIST the file does not exist
94 FILE_EXIST_UNCLEAR cannot determine existence
98 rda_exists(uschar *filename, uschar **error)
104 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
107 s = string_copy(filename);
108 sigalrm_seen = FALSE;
110 if (saved_errno == ENOENT)
112 uschar * slash = Ustrrchr(s, '/');
113 Ustrcpy(slash+1, US".");
116 rc = Ustat(s, &statbuf);
117 if (rc != 0 && errno == EACCES && !sigalrm_seen)
120 rc = Ustat(s, &statbuf);
125 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
128 if (sigalrm_seen || rc != 0)
130 *error = string_sprintf("failed to stat %s (%s)", s,
131 sigalrm_seen? "timeout" : strerror(saved_errno));
132 return FILE_EXIST_UNCLEAR;
135 *error = string_sprintf("%s does not exist", filename);
136 DEBUG(D_route) debug_printf("%s\n", *error);
137 return FILE_NOT_EXIST;
142 /*************************************************
143 * Get forwarding list from a file *
144 *************************************************/
146 /* Open a file and read its entire contents into a block of memory. Certain
147 opening errors are optionally treated the same as "file does not exist".
149 ENOTDIR means that something along the line is not a directory: there are
150 installations that set home directories to be /dev/null for non-login accounts
151 but in normal circumstances this indicates some kind of configuration error.
153 EACCES means there's a permissions failure. Some users turn off read permission
154 on a .forward file to suspend forwarding, but this is probably an error in any
155 kind of mailing list processing.
157 The redirect block that contains the file name also contains constraints such
158 as who may own the file, and mode bits that must not be set. This function is
161 rdata rdirect block, containing file name and constraints
162 options for the RDO_ENOTDIR and RDO_EACCES options
163 error where to put an error message
164 yield what to return from rda_interpret on error
166 Returns: pointer to string in store; NULL on error
170 rda_get_file_contents(const redirect_block *rdata, int options, uschar **error,
175 uschar *filename = rdata->string;
176 BOOL uid_ok = !rdata->check_owner;
177 BOOL gid_ok = !rdata->check_group;
180 /* Reading a file is a form of expansion; we wish to deny attackers the
181 capability to specify the file name. */
183 if (is_tainted(filename))
185 *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
191 /* Attempt to open the file. If it appears not to exist, check up on the
192 containing directory by statting it. If the directory does not exist, we treat
193 this situation as an error (which will cause delivery to defer); otherwise we
194 pass back FF_NONEXIST, which causes the redirect router to decline.
196 However, if the ignore_enotdir option is set (to ignore "something on the
197 path is not a directory" errors), the right behaviour seems to be not to do the
200 if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
202 case ENOENT: /* File does not exist */
203 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
204 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
206 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
207 ? FF_NONEXIST : FF_ERROR;
210 case ENOTDIR: /* Something on the path isn't a directory */
211 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
212 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
213 "exist\n", filename);
214 *yield = FF_NONEXIST;
217 case EACCES: /* Permission denied */
218 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
219 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
220 "exist\n", filename);
221 *yield = FF_NONEXIST;
226 *error = string_open_failed("%s", filename);
231 /* Check that we have a regular file. */
233 if (fstat(fileno(fwd), &statbuf) != 0)
235 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
239 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
241 *error = string_sprintf("%s is not a regular file", filename);
245 /* Check for unwanted mode bits */
247 if ((statbuf.st_mode & rdata->modemask) != 0)
249 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
250 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
254 /* Check the file owner and file group if required to do so. */
257 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
259 else if (rdata->owners)
260 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
261 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
264 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
266 else if (rdata->owngroups)
267 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
268 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
270 if (!uid_ok || !gid_ok)
272 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
276 /* Put an upper limit on the size of the file, just to stop silly people
277 feeding in ridiculously large files, which can easily be created by making
278 files that have holes in them. */
280 if (statbuf.st_size > MAX_FILTER_SIZE)
282 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
286 /* Read the file in one go in order to minimize the time we have it open. */
288 filebuf = store_get(statbuf.st_size + 1, filename);
290 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
292 *error = string_sprintf("error while reading %s: %s",
293 filename, strerror(errno));
296 filebuf[statbuf.st_size] = 0;
298 DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
299 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
304 /* Return an error: the string is already set up. */
314 /*************************************************
315 * Extract info from list or filter *
316 *************************************************/
318 /* This function calls the appropriate function to extract addresses from a
319 forwarding list, or to run a filter file and get addresses from there.
322 rdata the redirection block
323 options the options bits
324 include_directory restrain to this directory
325 sieve passed to sieve_interpret
326 generated where to hang generated addresses
327 error for error messages
328 eblockp for details of skipped syntax errors
330 filtertype set to the filter type:
331 FILTER_FORWARD => a traditional .forward file
332 FILTER_EXIM => an Exim filter file
333 FILTER_SIEVE => a Sieve filter file
334 a system filter is always forced to be FILTER_EXIM
336 Returns: a suitable return for rda_interpret()
340 rda_extract(const redirect_block * rdata, int options,
341 const uschar * include_directory, const sieve_block * sieve,
342 address_item ** generated, uschar ** error,
343 error_block ** eblockp, int * filtertype)
350 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
353 else data = rdata->string;
355 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
357 /* Filter interpretation is done by a general function that is also called from
358 the filter testing option (-bf). There are two versions: one for Exim filtering
359 and one for Sieve filtering. Several features of string expansion may be locked
360 out at sites that don't trust users. This is done by setting flags in
361 expand_forbid that the expander inspects. */
363 if (*filtertype != FILTER_FORWARD)
366 int old_expand_forbid = expand_forbid;
368 DEBUG(D_route) debug_printf("data is %s filter program\n",
369 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
371 /* RDO_FILTER is an "allow" bit */
373 if (!(options & RDO_FILTER))
375 *error = US"filtering not enabled";
380 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
382 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
384 if (*filtertype == FILTER_EXIM)
386 if (options & RDO_EXIM_FILTER)
388 *error = US"Exim filtering not enabled";
392 frc = filter_interpret(data, options, generated, error);
396 const misc_module_info * mi;
397 typedef int (*fn_t)(const uschar *, int, const sieve_block *,
398 address_item **, uschar **);
400 if (options & RDO_SIEVE_FILTER)
402 *error = US"Sieve filtering not enabled";
405 if (!(mi = misc_mod_find(US"sieve_filter", NULL)))
407 *error = US"Sieve filtering not available";
410 frc = (((fn_t *) mi->functions)[SIEVE_INTERPRET])
411 (data, options, sieve, generated, error);
414 expand_forbid = old_expand_forbid;
418 /* Not a filter script */
420 DEBUG(D_route) debug_printf("file is not a filter file\n");
422 return parse_forward_list(data,
423 options, /* specials that are allowed */
424 generated, /* where to hang them */
425 error, /* for errors */
426 deliver_domain, /* to qualify \name */
427 include_directory, /* restrain to directory */
428 eblockp); /* for skipped syntax errors */
434 /*************************************************
435 * Write string down pipe *
436 *************************************************/
438 /* This function is used for transferring a string down a pipe between
439 processes. If the pointer is NULL, a length of zero is written.
445 Returns: -1 on error, else 0
449 rda_write_string(int fd, const uschar *s)
451 int len = s ? Ustrlen(s) + 1 : 0;
452 return ( write(fd, &len, sizeof(int)) != sizeof(int)
453 || (s && write(fd, s, len) != len)
460 /*************************************************
461 * Read string from pipe *
462 *************************************************/
464 /* This function is used for receiving a string from a pipe.
468 sp where to put the string
470 Returns: FALSE if data missing
474 rda_read_string(int fd, uschar ** sp)
478 if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
482 /* We know we have enough memory so disable the error on "len" */
483 /* coverity[tainted_data] */
484 /* We trust the data source, so untainted */
485 if (read(fd, *sp = store_get(len, GET_UNTAINTED), len) != len) return FALSE;
491 /*************************************************
492 * Interpret forward list or filter *
493 *************************************************/
495 /* This function is passed a forward list string (unexpanded) or the name of a
496 file (unexpanded) whose contents are the forwarding list. The list may in fact
497 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
498 types of filter, with different initial tag strings, may be introduced in due
501 The job of the function is to process the forwarding list or filter. It is
502 pulled out into this separate function, because it is used for system filter
503 files as well as from the redirect router.
505 If the function is given a uid/gid, it runs a subprocess that passes the
506 results back via a pipe. This provides security for things like :include:s in
507 users' .forward files, and "logwrite" calls in users' filter files. A
508 sub-process is NOT used when:
510 . No uid/gid is provided
511 . The input is a string which is not a filter string, and does not contain
513 . The input is a file whose non-existence can be detected in the main
514 process (which is usually running as root).
517 rdata redirect data (file + constraints, or data string)
518 options options to pass to the extraction functions,
519 plus ENOTDIR and EACCES handling bits
520 include_directory restrain :include: to this directory
521 sieve passed to sieve_interpret
522 ugid uid/gid to run under - if NULL, no change
523 generated where to hang generated addresses, initially NULL
524 error pointer for error message
525 eblockp for skipped syntax errors; NULL if no skipping
526 filtertype set to the type of file:
527 FILTER_FORWARD => traditional .forward file
528 FILTER_EXIM => an Exim filter file
529 FILTER_SIEVE => a Sieve filter file
530 a system filter is always forced to be FILTER_EXIM
531 rname router name for error messages in the format
532 "xxx router" or "system filter"
534 Returns: values from extraction function, or FF_NONEXIST:
535 FF_DELIVERED success, a significant action was taken
536 FF_NOTDELIVERED success, no significant action
537 FF_BLACKHOLE :blackhole:
538 FF_DEFER defer requested
539 FF_FAIL fail requested
540 FF_INCLUDEFAIL some problem with :include:
541 FF_FREEZE freeze requested
542 FF_ERROR there was a problem
543 FF_NONEXIST the file does not exist
547 rda_interpret(redirect_block * rdata, int options,
548 const uschar * include_directory, const sieve_block * sieve,
549 const ugid_block * ugid, address_item ** generated,
550 uschar ** error, error_block ** eblockp, int * filtertype, const uschar * rname)
554 BOOL had_disaster = FALSE;
557 uschar *readerror = US"";
558 void (*oldsignal)(int);
560 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
561 rdata->isfile ? "file" : "string", string_printing(rdata->string));
563 /* Do the expansions of the file name or data first, while still privileged. */
565 if (!(data = expand_string(rdata->string)))
567 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
568 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
569 expand_string_message);
572 rdata->string = data;
575 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
577 if (rdata->isfile && data[0] != '/')
579 *error = string_sprintf("\"%s\" is not an absolute path", data);
583 /* If no uid/gid are supplied, or if we have a data string which does not start
584 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
585 work in this process. Note that for a system filter, we always have a file, so
586 the work is done in this process only if no user is supplied. */
588 if ( !ugid->uid_set /* Either there's no uid, or */
589 || ( !rdata->isfile /* We've got the data, and */
590 && rda_is_filter(data) == FILTER_FORWARD /* It's not a filter script, */
591 && Ustrstr(data, ":include:") == NULL /* and there's no :include: */
593 return rda_extract(rdata, options, include_directory, sieve,
594 generated, error, eblockp, filtertype);
596 /* We need to run the processing code in a sub-process. However, if we can
597 determine the non-existence of a file first, we can decline without having to
598 create the sub-process. */
600 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
603 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
604 we have to create the subprocess to do everything as the given user. The
605 results of processing are passed back via a pipe. */
608 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
609 ":include: failed for %s: %s", rname, strerror(errno));
611 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
612 process can be waited for. We sometimes get here with it set otherwise. Save
613 the old state for resetting on the wait. Ensure that all cached resources are
614 freed so that the subprocess starts with a clean slate and doesn't interfere
615 with the parent process. */
617 oldsignal = signal(SIGCHLD, SIG_DFL);
620 if ((pid = exim_fork(US"router-interpret")) == 0)
622 header_line *waslast = header_last; /* Save last header */
625 fd = pfd[pipe_write];
626 (void)close(pfd[pipe_read]);
628 if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
629 if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
631 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
633 /* Addresses can get rewritten in filters; if we are not root or the exim
634 user (and we probably are not), turn off rewrite logging, because we cannot
635 write to the log now. */
637 if (ugid->uid != root_uid && ugid->uid != exim_uid)
639 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
640 "root or exim in this process)\n");
641 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
644 /* Now do the business */
646 yield = rda_extract(rdata, options, include_directory, sieve,
647 generated, error, eblockp, filtertype);
649 /* Pass back whether it was a filter, and the return code and any overall
650 error text via the pipe. */
652 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
653 || write(fd, &yield, sizeof(int)) != sizeof(int)
654 || rda_write_string(fd, *error) != 0
658 /* Pass back the contents of any syntax error blocks if we have a pointer */
662 for (error_block * ep = *eblockp; ep; ep = ep->next)
663 if ( rda_write_string(fd, ep->text1) != 0
664 || rda_write_string(fd, ep->text2) != 0
667 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
671 /* If this is a system filter, we have to pass back the numbers of any
672 original header lines that were removed, and then any header lines that were
673 added but not subsequently removed. */
675 if (f.system_filtering)
678 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
679 if ( h->type == htype_old
680 && write(fd, &i, sizeof(i)) != sizeof(i)
685 if (write(fd, &i, sizeof(i)) != sizeof(i))
688 while (waslast != header_last)
690 waslast = waslast->next;
691 if (waslast->type != htype_old)
692 if ( rda_write_string(fd, waslast->text) != 0
693 || write(fd, &(waslast->type), sizeof(waslast->type))
694 != sizeof(waslast->type)
698 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
702 /* Write the contents of the $n variables */
704 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
707 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
708 addresses, and their associated information, through the pipe. This is
709 just tedious, but it seems to be the only safe way. We do this also for
710 FAIL and FREEZE, because a filter is allowed to set up deliveries that
711 are honoured before freezing or failing. */
713 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
714 yield == FF_FAIL || yield == FF_FREEZE)
716 for (address_item * addr = *generated; addr; addr = addr->next)
718 int reply_options = 0;
719 int ig_err = addr->prop.ignore_error ? 1 : 0;
721 if ( rda_write_string(fd, addr->address) != 0
722 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
723 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
724 || rda_write_string(fd, addr->prop.errors_address) != 0
725 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
729 if (addr->pipe_expandn)
730 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
731 if (rda_write_string(fd, *pp) != 0)
733 if (rda_write_string(fd, NULL) != 0)
738 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
743 reply_options |= REPLY_EXISTS;
744 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
745 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
746 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
747 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
749 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
751 || rda_write_string(fd, addr->reply->to) != 0
752 || rda_write_string(fd, addr->reply->cc) != 0
753 || rda_write_string(fd, addr->reply->bcc) != 0
754 || rda_write_string(fd, addr->reply->from) != 0
755 || rda_write_string(fd, addr->reply->reply_to) != 0
756 || rda_write_string(fd, addr->reply->subject) != 0
757 || rda_write_string(fd, addr->reply->headers) != 0
758 || rda_write_string(fd, addr->reply->text) != 0
759 || rda_write_string(fd, addr->reply->file) != 0
760 || rda_write_string(fd, addr->reply->logfile) != 0
761 || rda_write_string(fd, addr->reply->oncelog) != 0
767 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
771 /* OK, this process is now done. Free any cached resources. Must use _exit()
777 exim_underbar_exit(EXIT_SUCCESS);
780 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
784 /* Back in the main process: panic if the fork did not succeed. */
787 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
789 /* Read the pipe to get the data from the filter/forward. Our copy of the
790 writing end must be closed first, as otherwise read() won't return zero on an
791 empty pipe. Afterwards, close the reading end. */
793 (void)close(pfd[pipe_write]);
795 /* Read initial data, including yield and contents of *error */
798 if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
799 read(fd, &yield, sizeof(int)) != sizeof(int) ||
800 !rda_read_string(fd, error)) goto DISASTER;
802 /* Read the contents of any syntax error blocks if we have a pointer */
807 for (error_block ** p = eblockp; ; p = &e->next)
810 if (!rda_read_string(fd, &s)) goto DISASTER;
812 e = store_get(sizeof(error_block), GET_UNTAINTED);
815 if (!rda_read_string(fd, &s)) goto DISASTER;
821 /* If this is a system filter, read the identify of any original header lines
822 that were removed, and then read data for any new ones that were added. */
824 if (f.system_filtering)
827 header_line *h = header_list;
832 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
837 if (!(h = h->next)) goto DISASTER_NO_HEADER;
846 if (!rda_read_string(fd, &s)) goto DISASTER;
848 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
849 header_add(type, "%s", s);
853 /* Read the values of the $n variables */
855 if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
857 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
858 addresses and data to go with them. Keep them in the same order in the
861 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
862 yield == FF_FAIL || yield == FF_FREEZE)
864 address_item **nextp = generated;
868 int i, reply_options;
870 uschar * recipient, * s;
871 uschar * expandn[EXPAND_MAXN + 2];
873 /* First string is the address; NULL => end of addresses */
875 if (!rda_read_string(fd, &recipient)) goto DISASTER;
876 if (!recipient) break;
878 /* Hang on the end of the chain */
880 addr = deliver_make_addr(recipient, FALSE);
882 nextp = &(addr->next);
884 /* Next comes the mode and the flags fields */
886 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
887 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
888 || !rda_read_string(fd, &s)
889 || read(fd, &i, sizeof(i)) != sizeof(i)
892 addr->prop.errors_address = s;
893 addr->prop.ignore_error = (i != 0);
895 /* Next comes a possible setting for $thisaddress and any numerical
896 variables for pipe expansion, terminated by a NULL string. The maximum
897 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
898 into the zeroth item in the vector - this is sorted out inside the pipe
901 for (i = 0; i < EXPAND_MAXN + 1; i++)
904 if (!rda_read_string(fd, &temp)) goto DISASTER;
905 if (i == 0) filter_thisaddress = temp; /* Just in case */
907 if (temp == NULL) break;
912 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), GET_UNTAINTED);
913 addr->pipe_expandn[i] = NULL;
914 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
917 /* Then an int containing reply options; zero => no reply data. */
919 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
920 if ((reply_options & REPLY_EXISTS) != 0)
922 addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED);
924 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
925 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
927 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
929 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
931 !rda_read_string(fd, &addr->reply->to) ||
932 !rda_read_string(fd, &addr->reply->cc) ||
933 !rda_read_string(fd, &addr->reply->bcc) ||
934 !rda_read_string(fd, &addr->reply->from) ||
935 !rda_read_string(fd, &addr->reply->reply_to) ||
936 !rda_read_string(fd, &addr->reply->subject) ||
937 !rda_read_string(fd, &addr->reply->headers) ||
938 !rda_read_string(fd, &addr->reply->text) ||
939 !rda_read_string(fd, &addr->reply->file) ||
940 !rda_read_string(fd, &addr->reply->logfile) ||
941 !rda_read_string(fd, &addr->reply->oncelog))
947 /* All data has been transferred from the sub-process. Reap it, close the
948 reading end of the pipe, and we are done. */
951 while ((rc = wait(&status)) != pid)
952 if (rc < 0 && errno == ECHILD) /* Process has vanished */
954 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
959 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
963 *error = string_sprintf("internal problem in %s: failure to transfer "
964 "data from subprocess: status=%04x%s%s%s", rname,
966 *error ? US": error=" : US"",
967 *error ? *error : US"");
968 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
970 else if (status != 0)
971 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
972 "%04x from redirect subprocess (but data correctly received)", rname,
977 signal(SIGCHLD, oldsignal); /* restore */
981 /* Come here if the data indicates removal of a header that we can't find */
984 readerror = US" readerror=bad header identifier";
989 /* Come here is there's a shambles in transferring the data over the pipe. The
990 value of errno should still be set. */
993 readerror = string_sprintf(" readerror='%s'", strerror(errno));