X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/afd5e75ffc8f64f0ebed1df9dce64793011c14a6..19fdbfb4a2b6ca4a6a96ef52be848f0a23e2414f:/src/src/rda.c

diff --git a/src/src/rda.c b/src/src/rda.c
index 547a8bf3b..684730a7d 100644
--- a/src/src/rda.c
+++ b/src/src/rda.c
@@ -3,7 +3,7 @@
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim maintainers 2020 */
+/* Copyright (c) The Exim maintainers 2020 - 2021 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module contains code for extracting addresses from a forwarding list
@@ -42,7 +42,7 @@ Returns:   FILTER_EXIM    if it starts with "# Exim filter"
 static BOOL
 match_tag(const uschar *s, const uschar *tag)
 {
-for (; *tag != 0; s++, tag++)
+for (; *tag; s++, tag++)
   if (*tag == ' ')
     {
     while (*s == ' ' || *s == '\t') s++;
@@ -60,10 +60,10 @@ tags for other types of filter. */
 int
 rda_is_filter(const uschar *s)
 {
-while (isspace(*s)) s++;     /* Skips initial blank lines */
-if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
-  else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
-    else return FILTER_FORWARD;
+Uskip_whitespace(&s);			/* Skips initial blank lines */
+if (match_tag(s, CUS"# exim filter"))		return FILTER_EXIM;
+else if (match_tag(s, CUS"# sieve filter"))	return FILTER_SIEVE;
+else						return FILTER_FORWARD;
 }
 
 
@@ -179,10 +179,8 @@ struct stat statbuf;
 /* Reading a file is a form of expansion; we wish to deny attackers the
 capability to specify the file name. */
 
-if (is_tainted(filename))
+if ((*error = is_tainted2(filename, 0, "Tainted name '%s' for file read not permitted\n", filename)))
   {
-  *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
-			filename);
   *yield = FF_ERROR;
   return NULL;
   }
@@ -222,7 +220,7 @@ if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
 
 DEFAULT_ERROR:
   default:
-    *error = string_open_failed(errno, "%s", filename);
+    *error = string_open_failed("%s", filename);
     *yield = FF_ERROR;
     return NULL;
   }
@@ -615,12 +613,17 @@ with the parent process. */
 oldsignal = signal(SIGCHLD, SIG_DFL);
 search_tidyup();
 
-if ((pid = fork()) == 0)
+if ((pid = exim_fork(US"router-interpret")) == 0)
   {
   header_line *waslast = header_last;   /* Save last header */
+  int fd_flags = -1;
 
   fd = pfd[pipe_write];
   (void)close(pfd[pipe_read]);
+
+  if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
+  if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
+
   exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
 
   /* Addresses can get rewritten in filters; if we are not root or the exim
@@ -768,7 +771,7 @@ if ((pid = fork()) == 0)
 out:
   (void)close(fd);
   search_tidyup();
-  exim_underbar_exit(0, US"rda");
+  exim_underbar_exit(EXIT_SUCCESS);
 
 bad:
   DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");