Add backstop check for taint of executable name when calling exec()

[exim.git] / src / src / child.c

diff --git a/src/src/child.c b/src/src/child.c
index 267306ee3f0c3eee6173ce044f703fcb9d9a85ef..4c0dbabd11a482ebf571cbfc576627833c86f9d4 100644 (file)
--- a/src/src/child.c
+++ b/src/src/child.c
@@ -81,7 +81,7 @@ argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTA
 /* In all case, the list starts out with the path, any macros, and a changed
 config file. */
 
-argv[n++] = exim_path;
+argv[n++] = exim_path;         /* assume untainted */
 if (clmacro_count > 0)
   {
   memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
@@ -343,6 +343,12 @@ int save_errno;
 int inpfd[2], outpfd[2];
 pid_t pid;
 
+if (is_tainted(argv[0]))
+  {
+  log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]);
+  return (pid_t)(-1);
+  }
+
 /* Create the pipes. */
 
 if (pipe(inpfd) != 0) return (pid_t)(-1);