US"base62d",
US"base64",
US"base64d",
- US"bless",
US"domain",
US"escape",
US"escape8bit",
EOP_BASE62D,
EOP_BASE64,
EOP_BASE64D,
- EOP_BLESS,
EOP_DOMAIN,
EOP_ESCAPE,
EOP_ESCAPE8BIT,
f.expand_string_forcedfail = FALSE;
expand_string_message = US"";
-if (is_tainted(string))
+{ uschar *m;
+if ((m = is_tainted2(string, LOG_MAIN|LOG_PANIC, "Tainted string '%s' in expansion", s)))
{
- expand_string_message =
- string_sprintf("attempt to expand tainted string '%s'", s);
- log_write(0, LOG_MAIN|LOG_PANIC, "%s", expand_string_message);
+ expand_string_message = m;
goto EXPAND_FAILED;
}
+}
while (*s)
{
condition for real. For EITEM_MAP and EITEM_REDUCE, do the same, using
the normal internal expansion function. */
- if (item_type == EITEM_FILTER)
- {
- if ((temp = eval_condition(expr, &resetok, NULL)))
- s = temp;
- }
- else
+ if (item_type != EITEM_FILTER)
temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok);
+ else
+ if ((temp = eval_condition(expr, &resetok, NULL))) s = temp;
if (!temp)
{
goto EXPAND_FAILED;
}
- Uskip_whitespace(&s);
+ Uskip_whitespace(&s); /*{*/
if (*s++ != '}')
{ /*{*/
expand_string_message = string_sprintf("missing } at end of condition "
continue;
}
- case EOP_BLESS:
- /* This is purely for the convenience of the test harness. Do not enable
- it otherwise as it defeats the taint-checking security. */
-
- if (f.running_in_test_harness)
- yield = string_cat(yield, is_tainted(sub)
- ? string_copy_taint(sub, FALSE) : sub);
- else
- {
- DEBUG(D_expand) debug_printf_indent("bless operator not supported\n");
- yield = string_cat(yield, sub);
- }
- continue;
-
case EOP_EXPAND:
{
uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE, &resetok);
case EOP_LISTCOUNT:
{
- int cnt = 0;
- int sep = 0;
+ int cnt = 0, sep = 0;
+ uschar * buf = store_get(2, is_tainted(sub));
- while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;
+ while (string_nextinlist(CUSS &sub, &sep, buf, 1)) cnt++;
yield = string_fmt_append(yield, "%d", cnt);
continue;
}
int count;
uschar *endptr;
int binary[4];
- int mask, maskoffset;
- int type = string_is_ip_address(sub, &maskoffset);
+ int type, mask, maskoffset;
+ BOOL normalised;
uschar buffer[64];
- if (type == 0)
+ if ((type = string_is_ip_address(sub, &maskoffset)) == 0)
{
expand_string_message = string_sprintf("\"%s\" is not an IP address",
sub);
mask = Ustrtol(sub + maskoffset + 1, &endptr, 10);
- if (*endptr != 0 || mask < 0 || mask > ((type == 4)? 32 : 128))
+ if (*endptr || mask < 0 || mask > (type == 4 ? 32 : 128))
{
expand_string_message = string_sprintf("mask value too big in \"%s\"",
sub);
goto EXPAND_FAILED;
}
+ /* If an optional 'n' was given, ipv6 gets normalised output:
+ colons rather than dots, and zero-compressed. */
+
+ normalised = arg && *arg == 'n';
+
/* Convert the address to binary integer(s) and apply the mask */
sub[maskoffset] = 0;
/* Convert to masked textual format and add to output. */
- yield = string_catn(yield, buffer,
- host_nmtoa(count, binary, mask, buffer, '.'));
+ if (type == 4 || !normalised)
+ yield = string_catn(yield, buffer,
+ host_nmtoa(count, binary, mask, buffer, '.'));
+ else
+ {
+ ipv6_nmtoa(binary, buffer);
+ yield = string_fmt_append(yield, "%s/%d", buffer, mask);
+ }
continue;
}
/* Manually track tainting, as we deal in individual chars below */
if (is_tainted(sub))
+ {
if (yield->s && yield->ptr)
gstring_rebuffer(yield);
else
yield->s = store_get(yield->size = Ustrlen(sub), TRUE);
+ }
/* Check the UTF-8, byte-by-byte */
EXPAND_FAILED:
if (left) *left = s;
DEBUG(D_expand)
+ {
DEBUG(D_noutf8)
{
debug_printf_indent("|failed to expand: %s\n", string);
if (f.expand_string_forcedfail)
debug_printf_indent(UTF8_UP_RIGHT "failure was forced\n");
}
+ }
if (resetok_p && !resetok) *resetok_p = FALSE;
expand_level--;
return NULL;
debug_file = stderr;
debug_fd = fileno(debug_file);
big_buffer = malloc(big_buffer_size);
+store_init();
for (int i = 1; i < argc; i++)
{
git://git.exim.org / exim.git / blobdiff