git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Don't open spool data-files which are symlinks
[exim.git]
/
src
/
src
/
spool_in.c
diff --git
a/src/src/spool_in.c
b/src/src/spool_in.c
index 0a281f432f6eb6ba632eaeaa724808787bf5ce69..cd74d1ee7cee74ba611b0cbc75cc1872a8aed84f 100644
(file)
--- a/
src/src/spool_in.c
+++ b/
src/src/spool_in.c
@@
-57,9
+57,17
@@
for (i = 0; i < 2; i++)
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
+ /* We protect against symlink attacks both in not propagating the
+ * file-descriptor to other processes as we exec, and also ensuring that we
+ * don't even open symlinks.
+ * No -D file inside the spool area should be a symlink.
+ */
if ((fd = Uopen(fname,
#ifdef O_CLOEXEC
O_CLOEXEC |
if ((fd = Uopen(fname,
#ifdef O_CLOEXEC
O_CLOEXEC |
+#endif
+#ifdef O_NOFOLLOW
+ O_NOFOLLOW |
#endif
O_RDWR | O_APPEND, 0)) >= 0)
break;
#endif
O_RDWR | O_APPEND, 0)) >= 0)
break;
@@
-263,7
+271,7
@@
bmi_verdicts = NULL;
#ifndef DISABLE_DKIM
dkim_signers = NULL;
dkim_disable_verify = FALSE;
#ifndef DISABLE_DKIM
dkim_signers = NULL;
dkim_disable_verify = FALSE;
-dkim_collect_input =
FALSE
;
+dkim_collect_input =
0
;
#endif
#ifdef SUPPORT_TLS
#endif
#ifdef SUPPORT_TLS