X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/c5db348c5e29e93e51389fa0079f829967c5da82..1f7081b85e684302c091d8b35226ba3418c03f2b:/src/src/spool_out.c diff --git a/src/src/spool_out.c b/src/src/spool_out.c index d48841367..8531112c0 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -2,7 +2,8 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2017 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim Maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for writing spool files, and moving them about. */ @@ -92,7 +93,7 @@ double-check the mode because the group setting doesn't always get set automatically. */ if (fd >= 0) - if (fchown(fd, exim_uid, exim_gid) || fchmod(fd, SPOOL_MODE)) + if (exim_fchown(fd, exim_uid, exim_gid, temp_name) || fchmod(fd, SPOOL_MODE)) { DEBUG(D_any) debug_printf("failed setting perms on %s\n", temp_name); (void) close(fd); fd = -1; @@ -104,6 +105,25 @@ return fd; +static const uschar * +zap_newlines(const uschar *s) +{ +uschar *z, *p; + +if (Ustrchr(s, '\n') == NULL) return s; + +p = z = string_copy(s); +while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' '; +return z; +} + +static void +spool_var_write(FILE * fp, const uschar * name, const uschar * val) +{ +if (is_tainted(val)) putc('-', fp); +fprintf(fp, "-%s %s\n", name, val); +} + /************************************************* * Write the header spool file * *************************************************/ @@ -128,20 +148,17 @@ int spool_write_header(uschar *id, int where, uschar **errmsg) { int fd; -int i; int size_correction; -FILE *f; -header_line *h; +FILE * fp; struct stat statbuf; uschar * tname; uschar * fname; -tname = spool_fname(US"input", message_subdir, - string_sprintf("hdr.%d", (int)getpid()), US""); +tname = spool_fname(US"input", message_subdir, US"hdr.", message_id); if ((fd = spool_open_temp(tname)) < 0) return spool_write_error(where, errmsg, US"open", NULL, NULL); -f = fdopen(fd, "wb"); +fp = fdopen(fd, "wb"); DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file: %s\n", tname); /* We now have an open file to which the header data is to be written. Start @@ -150,164 +167,179 @@ identity of the submitting user, followed by the sender's address. The sender's address is enclosed in <> because it might be the null address. Then write the received time and the number of warning messages that have been sent. */ -fprintf(f, "%s-H\n", message_id); -fprintf(f, "%.63s %ld %ld\n", originator_login, (long int)originator_uid, +fprintf(fp, "%s-H\n", message_id); +fprintf(fp, "%.63s %ld %ld\n", originator_login, (long int)originator_uid, (long int)originator_gid); -fprintf(f, "<%s>\n", sender_address); -fprintf(f, "%d %d\n", (int)received_time.tv_sec, warning_count); +fprintf(fp, "<%s>\n", sender_address); +fprintf(fp, "%d %d\n", (int)received_time.tv_sec, warning_count); -fprintf(f, "-received_time_usec .%06d\n", (int)received_time.tv_usec); +fprintf(fp, "-received_time_usec .%06d\n", (int)received_time.tv_usec); +fprintf(fp, "-received_time_complete %d.%06d\n", + (int)received_time_complete.tv_sec, (int)received_time_complete.tv_usec); /* If there is information about a sending host, remember it. The HELO data can be set for local SMTP as well as remote. */ -if (sender_helo_name) - fprintf(f, "-helo_name %s\n", sender_helo_name); +if (sender_helo_name) spool_var_write(fp, US"helo_name", sender_helo_name); if (sender_host_address) { - fprintf(f, "-host_address %s.%d\n", sender_host_address, sender_host_port); + if (is_tainted(sender_host_address)) putc('-', fp); + fprintf(fp, "-host_address %s.%d\n", sender_host_address, sender_host_port); if (sender_host_name) - fprintf(f, "-host_name %s\n", sender_host_name); - if (sender_host_authenticated) - fprintf(f, "-host_auth %s\n", sender_host_authenticated); + spool_var_write(fp, US"host_name", sender_host_name); } +if (sender_host_authenticated) + spool_var_write(fp, US"host_auth", sender_host_authenticated); +if (sender_host_auth_pubname) + spool_var_write(fp, US"host_auth_pubname", sender_host_auth_pubname); /* Also about the interface a message came in on */ if (interface_address) - fprintf(f, "-interface_address %s.%d\n", interface_address, interface_port); + { + if (is_tainted(interface_address)) putc('-', fp); + fprintf(fp, "-interface_address %s.%d\n", interface_address, interface_port); + } if (smtp_active_hostname != primary_hostname) - fprintf(f, "-active_hostname %s\n", smtp_active_hostname); + spool_var_write(fp, US"active_hostname", smtp_active_hostname); /* Likewise for any ident information; for local messages this is likely to be the same as originator_login, but will be different if the originator was root, forcing a different ident. */ -if (sender_ident) fprintf(f, "-ident %s\n", sender_ident); +if (sender_ident) + spool_var_write(fp, US"ident", sender_ident); /* Ditto for the received protocol */ if (received_protocol) - fprintf(f, "-received_protocol %s\n", received_protocol); + spool_var_write(fp, US"received_protocol", received_protocol); /* Preserve any ACL variables that are set. */ -tree_walk(acl_var_c, &acl_var_write, f); -tree_walk(acl_var_m, &acl_var_write, f); +tree_walk(acl_var_c, &acl_var_write, fp); +tree_walk(acl_var_m, &acl_var_write, fp); /* Now any other data that needs to be remembered. */ -if (spool_file_wireformat) - fprintf(f, "-spool_file_wireformat\n"); +if (f.spool_file_wireformat) + fprintf(fp, "-spool_file_wireformat\n"); else - fprintf(f, "-body_linecount %d\n", body_linecount); -fprintf(f, "-max_received_linelength %d\n", max_received_linelength); + fprintf(fp, "-body_linecount %d\n", body_linecount); +fprintf(fp, "-max_received_linelength %d\n", max_received_linelength); -if (body_zerocount > 0) fprintf(f, "-body_zerocount %d\n", body_zerocount); +if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount); if (authenticated_id) - fprintf(f, "-auth_id %s\n", authenticated_id); + spool_var_write(fp, US"auth_id", authenticated_id); if (authenticated_sender) - fprintf(f, "-auth_sender %s\n", authenticated_sender); - -if (allow_unqualified_recipient) fprintf(f, "-allow_unqualified_recipient\n"); -if (allow_unqualified_sender) fprintf(f, "-allow_unqualified_sender\n"); -if (deliver_firsttime) fprintf(f, "-deliver_firsttime\n"); -if (deliver_freeze) fprintf(f, "-frozen " TIME_T_FMT "\n", deliver_frozen_at); -if (dont_deliver) fprintf(f, "-N\n"); -if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n"); -if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n"); -if (sender_local) fprintf(f, "-local\n"); -if (local_error_message) fprintf(f, "-localerror\n"); -if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data); + spool_var_write(fp, US"auth_sender", zap_newlines(authenticated_sender)); + +if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n"); +if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n"); +if (f.deliver_firsttime) fprintf(fp, "-deliver_firsttime\n"); +if (f.deliver_freeze) fprintf(fp, "-frozen " TIME_T_FMT "\n", deliver_frozen_at); +if (f.dont_deliver) fprintf(fp, "-N\n"); +if (host_lookup_deferred) fprintf(fp, "-host_lookup_deferred\n"); +if (host_lookup_failed) fprintf(fp, "-host_lookup_failed\n"); +if (f.sender_local) fprintf(fp, "-local\n"); +if (f.local_error_message) fprintf(fp, "-localerror\n"); +#ifdef HAVE_LOCAL_SCAN +if (local_scan_data) spool_var_write(fp, US"local_scan", local_scan_data); +#endif #ifdef WITH_CONTENT_SCAN -if (spam_bar) fprintf(f,"-spam_bar %s\n", spam_bar); -if (spam_score) fprintf(f,"-spam_score %s\n", spam_score); -if (spam_score_int) fprintf(f,"-spam_score_int %s\n", spam_score_int); +if (spam_bar) spool_var_write(fp, US"spam_bar", spam_bar); +if (spam_score) spool_var_write(fp, US"spam_score", spam_score); +if (spam_score_int) spool_var_write(fp, US"spam_score_int", spam_score_int); #endif -if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n"); -if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n"); +if (f.deliver_manual_thaw) fprintf(fp, "-manual_thaw\n"); +if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n"); #ifdef EXPERIMENTAL_BRIGHTMAIL -if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts); +if (bmi_verdicts) spool_var_write(fp, US"bmi_verdicts", bmi_verdicts); #endif -#ifdef SUPPORT_TLS -if (tls_in.certificate_verified) fprintf(f, "-tls_certificate_verified\n"); -if (tls_in.cipher) fprintf(f, "-tls_cipher %s\n", tls_in.cipher); +#ifndef DISABLE_TLS +if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n"); +if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher); if (tls_in.peercert) { - (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert); - fprintf(f, "-tls_peercert %s\n", CS big_buffer); + if (tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert)) + fprintf(fp, "--tls_peercert %s\n", CS big_buffer); } -if (tls_in.peerdn) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn)); -if (tls_in.sni) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni)); +if (tls_in.peerdn) spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn)); +if (tls_in.sni) spool_var_write(fp, US"tls_sni", string_printing(tls_in.sni)); if (tls_in.ourcert) { - (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert); - fprintf(f, "-tls_ourcert %s\n", CS big_buffer); + if (tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert)) + fprintf(fp, "-tls_ourcert %s\n", CS big_buffer); } -if (tls_in.ocsp) fprintf(f, "-tls_ocsp %d\n", tls_in.ocsp); +if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp); +# ifndef DISABLE_TLS_RESUME +fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption); +# endif +if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver); #endif #ifdef SUPPORT_I18N if (message_smtputf8) { - fprintf(f, "-smtputf8\n"); + fprintf(fp, "-smtputf8\n"); if (message_utf8_downconvert) - fprintf(f, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : ""); + fprintf(fp, "-utf8_%sdowncvt\n", message_utf8_downconvert < 0 ? "opt" : ""); } #endif /* Write the dsn flags to the spool header file */ -DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_envid %s\n", dsn_envid); -if (dsn_envid) fprintf(f, "-dsn_envid %s\n", dsn_envid); -DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_ret %d\n", dsn_ret); -if (dsn_ret != 0) fprintf(f, "-dsn_ret %d\n", dsn_ret); +/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_envid %s\n", dsn_envid); */ +if (dsn_envid) fprintf(fp, "-dsn_envid %s\n", dsn_envid); +/* DEBUG(D_deliver) debug_printf("DSN: Write SPOOL: -dsn_ret %d\n", dsn_ret); */ +if (dsn_ret) fprintf(fp, "-dsn_ret %d\n", dsn_ret); /* To complete the envelope, write out the tree of non-recipients, followed by the list of recipients. These won't be disjoint the first time, when no checking has been done. If a recipient is a "one-time" alias, it is followed by a space and its parent address number (pno). */ -tree_write(tree_nonrecipients, f); -fprintf(f, "%d\n", recipients_count); -for (i = 0; i < recipients_count; i++) +tree_write(tree_nonrecipients, fp); +fprintf(fp, "%d\n", recipients_count); +for (int i = 0; i < recipients_count; i++) { recipient_item *r = recipients_list + i; + const uschar *address = zap_newlines(r->address); - DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags); + /* DEBUG(D_deliver) debug_printf("DSN: Flags: 0x%x\n", r->dsn_flags); */ - if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0) - fprintf(f, "%s\n", r->address); + if (r->pno < 0 && !r->errors_to && r->dsn_flags == 0) + fprintf(fp, "%s\n", address); else { - uschar * errors_to = r->errors_to ? r->errors_to : US""; + const uschar *errors_to = r->errors_to ? zap_newlines(r->errors_to) : CUS""; /* for DSN SUPPORT extend exim 4 spool in a compatible way by adding new values upfront and add flag 0x02 */ - uschar * orcpt = r->orcpt ? r->orcpt : US""; + const uschar *orcpt = r->orcpt ? zap_newlines(r->orcpt) : CUS""; - fprintf(f, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt), + fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt), r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno); } DEBUG(D_deliver) debug_printf("DSN: **** SPOOL_OUT - " - "address: |%s| errorsto: |%s| orcpt: |%s| dsn_flags: %d\n", + "address: <%s> errorsto: <%s> orcpt: <%s> dsn_flags: 0x%x\n", r->address, r->errors_to, r->orcpt, r->dsn_flags); } /* Put a blank line before the headers */ -fprintf(f, "\n"); +fprintf(fp, "\n"); /* Save the size of the file so far so we can subtract it from the final length to get the actual size of the headers. */ -fflush(f); +fflush(fp); if (fstat(fd, &statbuf)) - return spool_write_error(where, errmsg, US"fstat", tname, f); + return spool_write_error(where, errmsg, US"fstat", tname, fp); size_correction = statbuf.st_size; /* Finally, write out the message's headers. To make it easier to read them @@ -318,30 +350,30 @@ various other headers, or an asterisk for old headers that have been rewritten. These are saved as a record for debugging. Don't included them in the message's size. */ -for (h = header_list; h; h = h->next) +for (header_line * h = header_list; h; h = h->next) { - fprintf(f, "%03d%c %s", h->slen, h->type, h->text); + fprintf(fp, "%03d%c %s", h->slen, h->type, h->text); size_correction += 5; if (h->type == '*') size_correction += h->slen; } /* Flush and check for any errors while writing */ -if (fflush(f) != 0 || ferror(f)) - return spool_write_error(where, errmsg, US"write", tname, f); +if (fflush(fp) != 0 || ferror(fp)) + return spool_write_error(where, errmsg, US"write", tname, fp); /* Force the file's contents to be written to disk. Note that fflush() just pushes it out of C, and fclose() doesn't guarantee to do the write either. That's just the way Unix works... */ -if (EXIMfsync(fileno(f)) < 0) - return spool_write_error(where, errmsg, US"sync", tname, f); +if (EXIMfsync(fileno(fp)) < 0) + return spool_write_error(where, errmsg, US"sync", tname, fp); /* Get the size of the file, and close it. */ if (fstat(fd, &statbuf) != 0) return spool_write_error(where, errmsg, US"fstat", tname, NULL); -if (fclose(f) != 0) +if (fclose(fp) != 0) return spool_write_error(where, errmsg, US"close", tname, NULL); /* Rename the file to its correct name, thereby replacing any previous @@ -392,8 +424,6 @@ return statbuf.st_size - size_correction; } -#ifdef SUPPORT_MOVE_FROZEN_MESSAGES - /************************************************ * Make a hard link * ************************************************/ @@ -404,6 +434,7 @@ start-up time. Arguments: dir base directory name + dq destiinationqueue name subdir subdirectory name id message id suffix suffix to add to id @@ -416,11 +447,11 @@ Returns: TRUE if all went well */ static BOOL -make_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from, - uschar *to, BOOL noentok) +make_link(uschar *dir, uschar * dq, uschar *subdir, uschar *id, uschar *suffix, + uschar *from, uschar *to, BOOL noentok) { uschar * fname = spool_fname(string_sprintf("%s%s", from, dir), subdir, id, suffix); -uschar * tname = spool_fname(string_sprintf("%s%s", to, dir), subdir, id, suffix); +uschar * tname = spool_q_fname(string_sprintf("%s%s", to, dir), dq, subdir, id, suffix); if (Ulink(fname, tname) < 0 && (!noentok || errno != ENOENT)) { log_write(0, LOG_MAIN|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving " @@ -474,8 +505,7 @@ return TRUE; /* Move the files for a message (-H, -D, and msglog) from one directory (or hierarchy) to another. It is assume that there is no -J file in existence when -this is done. At present, this is used only when move_frozen_messages is set, -so compile it only when that support is configured. +this is done. Arguments: id the id of the message to be delivered @@ -490,13 +520,18 @@ Returns: TRUE if all is well BOOL spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to) { +uschar * dest_qname = queue_name_dest ? queue_name_dest : queue_name; + +/* Since we are working within the spool, de-taint the dest queue name */ +dest_qname = string_copy_taint(dest_qname, FALSE); + /* Create any output directories that do not exist. */ (void) directory_make(spool_directory, - spool_sname(string_sprintf("%sinput", to), subdir), + spool_q_sname(string_sprintf("%sinput", to), dest_qname, subdir), INPUT_DIRECTORY_MODE, TRUE); (void) directory_make(spool_directory, - spool_sname(string_sprintf("%smsglog", to), subdir), + spool_q_sname(string_sprintf("%smsglog", to), dest_qname, subdir), INPUT_DIRECTORY_MODE, TRUE); /* Move the message by first creating new hard links for all the files, and @@ -508,9 +543,9 @@ rule of waiting for a -H file before doing anything. When moving messages off the mail spool, the -D file should be open and locked at the time, thus keeping Exim's hands off. */ -if (!make_link(US"msglog", subdir, id, US"", from, to, TRUE) || - !make_link(US"input", subdir, id, US"-D", from, to, FALSE) || - !make_link(US"input", subdir, id, US"-H", from, to, FALSE)) +if (!make_link(US"msglog", dest_qname, subdir, id, US"", from, to, TRUE) || + !make_link(US"input", dest_qname, subdir, id, US"-D", from, to, FALSE) || + !make_link(US"input", dest_qname, subdir, id, US"-H", from, to, FALSE)) return FALSE; if (!break_link(US"input", subdir, id, US"-H", from, FALSE) || @@ -518,13 +553,15 @@ if (!break_link(US"input", subdir, id, US"-H", from, FALSE) || !break_link(US"msglog", subdir, id, US"", from, TRUE)) return FALSE; -log_write(0, LOG_MAIN, "moved from %sinput, %smsglog to %sinput, %smsglog", - from, from, to, to); +log_write(0, LOG_MAIN, "moved from %s%s%s%sinput, %smsglog to %s%s%s%sinput, %smsglog", + *queue_name?"(":"", *queue_name?queue_name:US"", *queue_name?") ":"", + from, from, + *dest_qname?"(":"", *dest_qname?dest_qname:US"", *dest_qname?") ":"", + to, to); return TRUE; } -#endif /* End of spool_out.c */ /* vi: aw ai sw=2