1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions for reading spool files. When compiling for a utility (eximon),
11 not all are needed, and some functionality can be cut out. */
18 #ifndef COMPILE_UTILITY
19 /*************************************************
20 * Open and lock data file *
21 *************************************************/
23 /* The data file is the one that is used for locking, because the header file
24 can get replaced during delivery because of header rewriting. The file has
25 to opened with write access so that we can get an exclusive lock, but in
26 fact it won't be written to. Just in case there's a major disaster (e.g.
27 overwriting some other file descriptor with the value of this one), open it
30 As called by deliver_message() (at least) we are operating as root.
32 Argument: the id of the message
33 Returns: fd if file successfully opened and locked, else -1
35 Side effect: message_subdir is set for the (possibly split) spool directory
39 spool_open_datafile(uschar * id)
45 /* If split_spool_directory is set (handled by set_subdir_str()), first look for
46 the file in the appropriate sub-directory of the input directory. If it is not
47 found there, try the input directory itself, to pick up leftovers from before
48 the splitting. If split_ spool_directory is not set, first look in the main
49 input directory. If it is not found there, try the split sub-directory, in case
50 it is left over from a splitting state. */
52 for (int i = 0; i < 2; i++)
57 set_subdir_str(message_subdir, id, i);
58 fname = spool_fname(US"input", message_subdir, id, US"-D");
59 DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname);
61 /* We protect against symlink attacks both in not propagating the
62 file-descriptor to other processes as we exec, and also ensuring that we
63 don't even open symlinks.
64 No -D file inside the spool area should be a symlink. */
66 if ((fd = Uopen(fname,
67 EXIM_CLOEXEC | EXIM_NOFOLLOW | O_RDWR | O_APPEND, 0)) >= 0)
74 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
75 *queue_name ? US" Q=" : US"",
76 *queue_name ? queue_name : US"",
79 debug_printf("Spool%s%s file %s-D not found\n",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = spool_data_start_offset(id);
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
109 log_write(L_skip_delivery, LOG_MAIN,
110 "Spool file for %s is locked (another process is handling this message)",
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
120 if (fstat(fd, &statbuf) == 0)
122 message_body_size = statbuf.st_size - spool_data_start_offset(id);
123 message_size = message_body_size + 1;
128 #endif /* COMPILE_UTILITY */
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
142 . The left subtree (if any) then follows, then the right subtree (if any).
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
154 Returns: maximum depth below the node, including the node itself
158 count_below(tree_node *node)
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
168 /* This is the real function...
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
176 Returns: FALSE on format error
180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3, GET_TAINTED); /* rcpt names tainted */
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
194 if (buffer[0] == 'Y')
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
200 else node->left = NULL;
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
208 else node->right = NULL;
210 (void) count_below(*connect);
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
222 spool_clear_header_globals(void)
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 f.allow_unqualified_recipient = FALSE;
228 f.allow_unqualified_sender = FALSE;
231 f.deliver_firsttime = FALSE;
232 f.deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 f.deliver_manual_thaw = FALSE;
235 /* f.dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
241 f.local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = sender_host_auth_pubname = NULL;
258 f.sender_local = FALSE;
259 f.sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 f.spool_file_wireformat = FALSE;
264 tree_nonrecipients = NULL;
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
273 f.dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
278 tls_in.certificate_verified = FALSE;
280 tls_in.dane_verified = FALSE;
282 tls_in.ver = tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
287 tls_in.peerdn = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
292 #ifdef WITH_CONTENT_SCAN
295 spam_score_int = NULL;
298 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299 message_smtputf8 = FALSE;
300 message_utf8_downconvert = 0;
303 #ifndef COMPILE_UTILITY
304 debuglog_name[0] = '\0';
311 fgets_big_buffer(FILE *fp)
316 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) return NULL;
318 while ((len = Ustrlen(big_buffer)) == big_buffer_size-1
319 && big_buffer[len-1] != '\n')
324 if (big_buffer_size >= BIG_BUFFER_SIZE * 4) return NULL;
325 newsize = big_buffer_size * 2;
326 newbuffer = store_get_perm(newsize, FALSE);
327 memcpy(newbuffer, big_buffer, len);
329 big_buffer = newbuffer;
330 big_buffer_size = newsize;
331 if (Ufgets(big_buffer + len, big_buffer_size - len, fp) == NULL) return NULL;
334 if (len <= 0 || big_buffer[len-1] != '\n') return NULL;
340 /*************************************************
341 * Read spool header file *
342 *************************************************/
344 /* This function reads a spool header file and places the data into the
345 appropriate global variables. The header portion is always read, but header
346 structures are built only if read_headers is set true. It isn't, for example,
347 while generating -bp output.
349 It may be possible for blocks of nulls (binary zeroes) to get written on the
350 end of a file if there is a system crash during writing. It was observed on an
351 earlier version of Exim that omitted to fsync() the files - this is thought to
352 have been the cause of that incident, but in any case, this code must be robust
353 against such an event, and if such a file is encountered, it must be treated as
356 As called from deliver_message() (at least) we are running as root.
359 name name of the header file, including the -H
360 read_headers TRUE if in-store header structures are to be built
361 subdir_set TRUE is message_subdir is already set
363 Returns: spool_read_OK success
364 spool_read_notopen open failed
365 spool_read_enverror error in the envelope portion
366 spool_read_hdrerror error in the header portion
370 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
376 BOOL inheader = FALSE;
377 const uschar * where;
379 /* Reset all the global variables to their default values. However, there is
380 one exception. DO NOT change the default value of dont_deliver, because it may
381 be forced by an external setting. */
383 spool_clear_header_globals();
385 /* Generate the full name and open the file. If message_subdir is already
386 set, just look in the given directory. Otherwise, look in both the split
387 and unsplit directories, as for the data file above. */
389 for (int n = 0; n < 2; n++)
392 set_subdir_str(message_subdir, name, n);
394 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
396 if (n != 0 || subdir_set || errno != ENOENT)
397 return spool_read_notopen;
402 #ifndef COMPILE_UTILITY
403 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
404 #endif /* COMPILE_UTILITY */
406 /* The first line of a spool file contains the message id followed by -H (i.e.
407 the file name), in order to make the file self-identifying. */
409 where = US"first line read";
410 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
411 where = US"first line length";
412 if ( ( Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3
413 && Ustrlen(big_buffer) != MESSAGE_ID_LENGTH_OLD + 3
415 || ( Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0
416 && Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH_OLD + 2) != 0
418 goto SPOOL_FORMAT_ERROR;
420 /* The next three lines in the header file are in a fixed format. The first
421 contains the login, uid, and gid of the user who caused the file to be written.
422 There are known cases where a negative gid is used, so we allow for both
423 negative uids and gids. The second contains the mail address of the message's
424 sender, enclosed in <>. The third contains the time the message was received,
425 and the number of warning messages for delivery delays that have been sent. */
427 where = US"2nd line read";
428 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
431 uschar *p = big_buffer + Ustrlen(big_buffer);
432 while (p > big_buffer && isspace(p[-1])) p--;
434 where = US"2nd line fmt 1";
435 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
436 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
438 where = US"2nd line fmt 2";
439 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
441 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
442 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
444 where = US"2nd line fmt 3";
445 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
449 originator_login = string_copy(big_buffer);
450 originator_uid = (uid_t)uid;
451 originator_gid = (gid_t)gid;
453 where = US"envelope from";
454 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
455 n = Ustrlen(big_buffer);
456 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
457 goto SPOOL_FORMAT_ERROR;
459 sender_address = store_get(n-2, GET_TAINTED);
460 Ustrncpy(sender_address, big_buffer+1, n-3);
461 sender_address[n-3] = 0;
464 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
465 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
466 goto SPOOL_FORMAT_ERROR;
467 received_time.tv_usec = 0;
468 received_time_complete = received_time;
471 message_age = time(NULL) - received_time.tv_sec;
472 #ifndef COMPILE_UTILITY
473 if (f.running_in_test_harness)
474 message_age = test_harness_fudged_queue_time(message_age);
477 #ifndef COMPILE_UTILITY
478 DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n",
479 originator_login, (long int)originator_uid, (long int)originator_gid,
483 /* Now there may be a number of optional lines, each starting with "-". If you
484 add a new setting here, make sure you set the default above.
486 Because there are now quite a number of different possibilities, we use a
487 switch on the first character to avoid too many failing tests. Thanks to Nico
488 Erfurth for the patch that implemented this. I have made it even more efficient
489 by not re-scanning the first two characters.
491 To allow new versions of Exim that add additional flags to interwork with older
492 versions that do not understand them, just ignore any lines starting with "-"
493 that we don't recognize. Otherwise it wouldn't be possible to back off a new
494 version that left new-style flags written on the spool.
496 If the line starts with "--" the content of the variable is tainted.
497 If the line start "--(<lookuptype>)" it is also quoted for the given <lookuptype>.
502 const void * proto_mem;
506 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
507 if (big_buffer[0] != '-') break;
508 big_buffer[Ustrlen(big_buffer)-1] = 0;
510 proto_mem = big_buffer[1] == '-' ? GET_TAINTED : GET_UNTAINTED;
511 var = big_buffer + (proto_mem == GET_UNTAINTED ? 1 : 2);
512 if (*var == '(') /* marker for quoted value */
515 for (s = ++var; *s != ')'; ) s++;
516 #ifndef COMPILE_UTILITY
519 if ((idx = search_findtype(var, s - var)) < 0)
522 debug_printf("Unrecognised quoter %.*s\n", (int)(s - var), var+1);
524 goto SPOOL_FORMAT_ERROR;
526 proto_mem = store_get_quoted(1, GET_TAINTED, idx);
528 #endif /* COMPILE_UTILITY */
537 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
538 variable, because Exim allows any number of them, with arbitrary names.
539 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
542 if (Ustrncmp(p, "clc ", 4) == 0 ||
543 Ustrncmp(p, "clm ", 4) == 0)
545 uschar *name, *endptr;
548 endptr = Ustrchr(var + 5, ' ');
550 if (!endptr) goto SPOOL_FORMAT_ERROR;
551 name = string_sprintf("%c%.*s", var[3],
552 (int)(endptr - var - 5), var + 5);
553 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
554 node = acl_var_create(name);
555 node->data.ptr = store_get(count + 1, proto_mem);
556 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
557 ((uschar*)node->data.ptr)[count] = 0;
560 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
561 f.allow_unqualified_recipient = TRUE;
562 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
563 f.allow_unqualified_sender = TRUE;
565 else if (Ustrncmp(p, "uth_id", 6) == 0)
566 authenticated_id = string_copy_taint(var + 8, proto_mem);
567 else if (Ustrncmp(p, "uth_sender", 10) == 0)
568 authenticated_sender = string_copy_taint(var + 12, proto_mem);
569 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
570 smtp_active_hostname = string_copy_taint(var + 16, proto_mem);
572 /* For long-term backward compatibility, we recognize "-acl", which was
573 used before the number of ACL variables changed from 10 to 20. This was
574 before the subsequent change to an arbitrary number of named variables.
575 This code is retained so that upgrades from very old versions can still
576 handle old-format spool files. The value given after "-acl" is a number
577 that is 0-9 for connection variables, and 10-19 for message variables. */
579 else if (Ustrncmp(p, "cl ", 3) == 0)
581 unsigned index, count;
582 uschar name[20]; /* Need plenty of space for %u format */
584 where = US"-acl (old)";
585 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
587 || count > 16384 /* arbitrary limit on variable size */
589 goto SPOOL_FORMAT_ERROR;
591 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
593 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
594 node = acl_var_create(name);
595 node->data.ptr = store_get(count + 1, proto_mem);
596 /* We sanity-checked the count, so disable the Coverity error */
597 /* coverity[tainted_data] */
598 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
599 (US node->data.ptr)[count] = '\0';
604 if (Ustrncmp(p, "ody_linecount", 13) == 0)
605 body_linecount = Uatoi(var + 14);
606 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
607 body_zerocount = Uatoi(var + 14);
608 #ifdef EXPERIMENTAL_BRIGHTMAIL
609 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
610 bmi_verdicts = string_copy_taint(var + 13, proto_mem);
615 if (Ustrcmp(p, "eliver_firsttime") == 0)
616 f.deliver_firsttime = TRUE;
617 else if (Ustrncmp(p, "sn_ret", 6) == 0)
618 dsn_ret= atoi(CS var + 7);
619 else if (Ustrncmp(p, "sn_envid", 8) == 0)
620 dsn_envid = string_copy_taint(var + 10, proto_mem);
621 #ifndef COMPILE_UTILITY
622 else if (Ustrncmp(p, "ebug_selector ", 14) == 0)
623 debug_selector = strtol(CS var + 15, NULL, 0);
624 else if (Ustrncmp(p, "ebuglog_name ", 13) == 0)
625 debug_logging_from_spool(var + 14);
630 if (Ustrncmp(p, "rozen", 5) == 0)
632 f.deliver_freeze = TRUE;
633 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
634 goto SPOOL_READ_ERROR;
639 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
640 host_lookup_deferred = TRUE;
641 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
642 host_lookup_failed = TRUE;
643 else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
644 sender_host_auth_pubname = string_copy_taint(var + 18, proto_mem);
645 else if (Ustrncmp(p, "ost_auth", 8) == 0)
646 sender_host_authenticated = string_copy_taint(var + 10, proto_mem);
647 else if (Ustrncmp(p, "ost_name", 8) == 0)
648 sender_host_name = string_copy_taint(var + 10, proto_mem);
649 else if (Ustrncmp(p, "elo_name", 8) == 0)
650 sender_helo_name = string_copy_taint(var + 10, proto_mem);
652 /* We now record the port number after the address, separated by a
653 dot. For compatibility during upgrading, do nothing if there
654 isn't a value (it gets left at zero). */
656 else if (Ustrncmp(p, "ost_address", 11) == 0)
658 sender_host_port = host_address_extract_port(var + 13);
659 sender_host_address = string_copy_taint(var + 13, proto_mem);
664 if (Ustrncmp(p, "nterface_address", 16) == 0)
666 interface_port = host_address_extract_port(var + 18);
667 interface_address = string_copy_taint(var + 18, proto_mem);
669 else if (Ustrncmp(p, "dent", 4) == 0)
670 sender_ident = string_copy_taint(var + 6, proto_mem);
674 if (Ustrcmp(p, "ocal") == 0)
675 f.sender_local = TRUE;
676 else if (Ustrcmp(var, "localerror") == 0)
677 f.local_error_message = TRUE;
678 #ifdef HAVE_LOCAL_SCAN
679 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
680 local_scan_data = string_copy_taint(var + 11, proto_mem);
685 if (Ustrcmp(p, "anual_thaw") == 0)
686 f.deliver_manual_thaw = TRUE;
687 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
688 max_received_linelength = Uatoi(var + 23);
692 if (*p == 0) f.dont_deliver = TRUE; /* -N */
696 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
697 received_protocol = string_copy_taint(var + 18, proto_mem);
698 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
701 if (sscanf(CS var + 20, "%u", &usec) == 1)
703 received_time.tv_usec = usec;
704 if (!received_time_complete.tv_sec) received_time_complete.tv_usec = usec;
707 else if (Ustrncmp(p, "eceived_time_complete", 21) == 0)
710 if (sscanf(CS var + 23, "%u.%u", &sec, &usec) == 2)
712 received_time_complete.tv_sec = sec;
713 received_time_complete.tv_usec = usec;
719 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
720 f.sender_set_untrusted = TRUE;
721 #ifdef WITH_CONTENT_SCAN
722 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
723 spam_bar = string_copy_taint(var + 9, proto_mem);
724 else if (Ustrncmp(p, "pam_score ", 10) == 0)
725 spam_score = string_copy_taint(var + 11, proto_mem);
726 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
727 spam_score_int = string_copy_taint(var + 15, proto_mem);
729 #ifndef COMPILE_UTILITY
730 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
731 f.spool_file_wireformat = TRUE;
733 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
734 else if (Ustrncmp(p, "mtputf8", 7) == 0)
735 message_smtputf8 = TRUE;
741 if (Ustrncmp(p, "ls_", 3) == 0)
743 const uschar * q = p + 3;
744 if (Ustrncmp(q, "certificate_verified", 20) == 0)
745 tls_in.certificate_verified = TRUE;
746 else if (Ustrncmp(q, "cipher", 6) == 0)
747 tls_in.cipher = string_copy_taint(q+7, proto_mem);
748 # ifndef COMPILE_UTILITY /* tls support fns not built in */
749 else if (Ustrncmp(q, "ourcert", 7) == 0)
750 (void) tls_import_cert(q+8, &tls_in.ourcert);
751 else if (Ustrncmp(q, "peercert", 8) == 0)
752 (void) tls_import_cert(q+9, &tls_in.peercert);
754 else if (Ustrncmp(q, "peerdn", 6) == 0)
755 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, proto_mem));
756 else if (Ustrncmp(q, "sni", 3) == 0)
757 tls_in.sni = string_unprinting(string_copy_taint(q+4, proto_mem));
758 else if (Ustrncmp(q, "ocsp", 4) == 0)
759 tls_in.ocsp = q[5] - '0';
760 # ifndef DISABLE_TLS_RESUME
761 else if (Ustrncmp(q, "resumption", 10) == 0)
762 tls_in.resumption = q[11] - 'A';
764 else if (Ustrncmp(q, "ver", 3) == 0)
765 tls_in.ver = string_copy_taint(q+4, proto_mem);
770 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
772 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
773 message_utf8_downconvert = 1;
774 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
775 message_utf8_downconvert = -1;
779 default: /* Present because some compilers complain if all */
780 break; /* possibilities are not covered. */
784 /* Build sender_fullhost if required */
786 #ifndef COMPILE_UTILITY
787 host_build_sender_fullhost();
788 #endif /* COMPILE_UTILITY */
790 #ifndef COMPILE_UTILITY
792 debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local,
793 sender_ident ? sender_ident : US"unset");
794 #endif /* COMPILE_UTILITY */
796 /* We now have the tree of addresses NOT to deliver to, or a line
797 containing "XX", indicating no tree. */
799 where = US"nondeliver";
800 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
801 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
802 goto SPOOL_FORMAT_ERROR;
804 #ifndef COMPILE_UTILITY
805 DEBUG(D_deliver) debug_print_tree("Non-recipients", tree_nonrecipients);
806 #endif /* COMPILE_UTILITY */
808 /* After reading the tree, the next line has not yet been read into the
809 buffer. It contains the count of recipients which follow on separate lines.
810 Apply an arbitrary sanity check.*/
812 where = US"rcpt cnt";
813 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
814 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
815 goto SPOOL_FORMAT_ERROR;
817 #ifndef COMPILE_UTILITY
818 DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount);
819 #endif /* COMPILE_UTILITY */
821 recipients_list_max = rcount;
822 recipients_list = store_get(rcount * sizeof(recipient_item), GET_UNTAINTED);
824 /* We sanitised the count and know we have enough memory, so disable
825 the Coverity error on recipients_count */
826 /* coverity[tainted_data] */
828 where = US"recipient";
829 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
834 uschar *orcpt = NULL;
835 uschar *errors_to = NULL;
838 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
839 nn = Ustrlen(big_buffer);
840 if (nn < 2) goto SPOOL_FORMAT_ERROR;
842 /* Remove the newline; this terminates the address if there is no additional
845 p = big_buffer + nn - 1;
848 /* Look back from the end of the line for digits and special terminators.
849 Since an address must end with a domain, we can tell that extra data is
850 present by the presence of the terminator, which is always some character
851 that cannot exist in a domain. (If I'd thought of the need for additional
852 data early on, I'd have put it at the start, with the address at the end. As
853 it is, we have to operate backwards. Addresses are permitted to contain
856 This code has to cope with various versions of this data that have evolved
857 over time. In all cases, the line might just contain an address, with no
858 additional data. Otherwise, the possibilities are as follows:
860 Exim 3 type: <address><space><digits>,<digits>,<digits>
862 The second set of digits is the parent number for one_time addresses. The
863 other values were remnants of earlier experiments that were abandoned.
865 Exim 4 first type: <address><space><digits>
867 The digits are the parent number for one_time addresses.
869 Exim 4 new type: <address><space><data>#<type bits>
871 The type bits indicate what the contents of the data are.
873 Bit 01 indicates that, reading from right to left, the data
874 ends with <errors_to address><space><len>,<pno> where pno is
875 the parent number for one_time addresses, and len is the length
876 of the errors_to address (zero meaning none).
878 Bit 02 indicates that, again reading from right to left, the data continues
879 with orcpt len(orcpt),dsn_flags
882 while (isdigit(*p)) p--;
884 /* Handle Exim 3 spool files */
889 #if !defined (COMPILE_UTILITY)
890 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n");
892 while (isdigit(*(--p)) || *p == ',');
896 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
900 /* Handle early Exim 4 spool files */
904 #if !defined (COMPILE_UTILITY)
905 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n");
908 (void)sscanf(CS p, "%d", &pno);
911 /* Handle current format Exim 4 spool files */
917 #if !defined (COMPILE_UTILITY)
918 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n");
921 (void)sscanf(CS p+1, "%d", &flags);
923 if (flags & 0x01) /* one_time data exists */
926 while (isdigit(*(--p)) || *p == ',' || *p == '-');
927 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
932 errors_to = string_copy_taint(p, GET_TAINTED);
936 *--p = 0; /* Terminate address */
937 if (flags & 0x02) /* one_time data exists */
940 while (isdigit(*(--p)) || *p == ',' || *p == '-');
941 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
946 orcpt = string_copy_taint(p, GET_TAINTED);
950 *--p = 0; /* Terminate address */
952 #if !defined(COMPILE_UTILITY)
954 { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); }
956 if (orcpt || dsn_flags)
957 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
958 big_buffer, orcpt, dsn_flags);
960 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
961 big_buffer, errors_to);
964 recipients_list[recipients_count].address = string_copy_taint(big_buffer, GET_TAINTED);
965 recipients_list[recipients_count].pno = pno;
966 recipients_list[recipients_count].errors_to = errors_to;
967 recipients_list[recipients_count].orcpt = orcpt;
968 recipients_list[recipients_count].dsn_flags = dsn_flags;
971 /* The remainder of the spool header file contains the headers for the message,
972 separated off from the previous data by a blank line. Each header is preceded
973 by a count of its length and either a certain letter (for various identified
974 headers), space (for a miscellaneous live header) or an asterisk (for a header
975 that has been rewritten). Count the Received: headers. We read the headers
976 always, in order to check on the format of the file, but only create a header
977 list if requested to do so. */
981 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
982 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
984 while ((n = fgetc(fp)) != EOF)
990 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
991 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
992 goto SPOOL_READ_ERROR;
993 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
997 h = store_get(sizeof(header_line), GET_UNTAINTED);
1001 h->text = store_get(n+1, GET_TAINTED);
1003 if (h->type == htype_received) received_count++;
1005 if (header_list) header_last->next = h;
1006 else header_list = h;
1009 for (i = 0; i < n; i++)
1012 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
1013 if (c == '\n' && h->type != htype_old) message_linecount++;
1019 /* Not requiring header data, just skip through the bytes */
1021 else for (i = 0; i < n; i++)
1024 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
1028 /* We have successfully read the data in the header file. Update the message
1029 line count by adding the body linecount to the header linecount. Close the file
1030 and give a positive response. */
1032 #ifndef COMPILE_UTILITY
1033 DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n",
1034 body_linecount, message_linecount);
1035 #endif /* COMPILE_UTILITY */
1037 message_linecount += body_linecount;
1040 return spool_read_OK;
1043 /* There was an error reading the spool or there was missing data,
1044 or there was a format error. A "read error" with no errno means an
1045 unexpected EOF, which we treat as a format error. */
1052 #ifndef COMPILE_UTILITY
1053 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
1054 #endif /* COMPILE_UTILITY */
1058 return inheader ? spool_read_hdrerror : spool_read_enverror;
1063 #ifndef COMPILE_UTILITY
1064 DEBUG(D_any) debug_printf("Format error in spool file %s%s%s\n", name,
1065 where ? ": " : "", where ? where : US"");
1066 #endif /* COMPILE_UTILITY */
1069 errno = ERRNO_SPOOLFORMAT;
1070 return inheader? spool_read_hdrerror : spool_read_enverror;
1074 #ifndef COMPILE_UTILITY
1075 /* Read out just the (envelope) sender string from the spool -H file.
1076 Remove the <> wrap and return it in allocated store. Return NULL on error.
1078 We assume that message_subdir is already set.
1082 spool_sender_from_msgid(const uschar * id)
1086 uschar * yield = NULL;
1088 if (!(fp = Ufopen(spool_fname(US"input", message_subdir, id, US"-H"), "rb")))
1091 DEBUG(D_deliver) debug_printf_indent("reading spool file %s-H\n", id);
1093 /* Skip the line with the copy of the filename, then the line with login/uid/gid.
1094 Read the next line, which should be the envelope sender.
1095 Do basic validation on that. */
1097 if ( Ufgets(big_buffer, big_buffer_size, fp) != NULL
1098 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1099 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1100 && (n = Ustrlen(big_buffer)) >= 3
1101 && big_buffer[0] == '<' && big_buffer[n-2] == '>'
1104 yield = store_get(n-2, GET_TAINTED);
1105 Ustrncpy(yield, big_buffer+1, n-3);
1111 #endif /* COMPILE_UTILITY */
1115 /* End of spool_in.c */