X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d7d7b7b91dd75cec636fc144da7e27eed860f971..90bd3832bc0ff090ac5e37dfc66b30cabb9cfc1a:/src/src/routers/rf_get_transport.c

diff --git a/src/src/routers/rf_get_transport.c b/src/src/routers/rf_get_transport.c
index e5f805e03..d37966865 100644
--- a/src/src/routers/rf_get_transport.c
+++ b/src/src/routers/rf_get_transport.c
@@ -1,11 +1,11 @@
-/* $Cambridge: exim/src/src/routers/rf_get_transport.c,v 1.3 2006/02/07 11:19:02 ph10 Exp $ */
-
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2006 */
+/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
 /* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 
 #include "../exim.h"
 #include "rf_functions.h"
@@ -46,11 +46,11 @@ rf_get_transport(uschar *tpname, transport_instance **tpptr, address_item *addr,
 {
 uschar *ss;
 BOOL expandable;
-transport_instance *tp;
 
-if (tpname == NULL)
+GET_OPTION("transport");
+if (!tpname)
   {
-  if (require_name == NULL) return TRUE;
+  if (!require_name) return TRUE;
   addr->basic_errno = ERRNO_BADTRANSPORT;
   addr->message = string_sprintf("%s unset in %s router", require_name,
     router_name);
@@ -62,26 +62,33 @@ if (*tpptr != NULL && !expandable) return TRUE;
 
 if (expandable)
   {
-  ss = expand_string(tpname);
-  if (ss == NULL)
+  if (!(ss = expand_string(tpname)))
     {
     addr->basic_errno = ERRNO_BADTRANSPORT;
     addr->message = string_sprintf("failed to expand transport "
       "\"%s\" in %s router: %s", tpname, router_name, expand_string_message);
     return FALSE;
     }
+  if (is_tainted(ss))
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "attempt to use tainted value '%s' from '%s' for transport", ss, tpname);
+    addr->basic_errno = ERRNO_BADTRANSPORT;
+    /* Avoid leaking info to an attacker */
+    addr->message = US"internal configuration error";
+    return FALSE;
+    }
   }
-else ss = tpname;
+else
+  ss = tpname;
 
-for (tp = transports; tp != NULL; tp = tp->next)
-  {
+for (transport_instance * tp = transports; tp; tp = tp->next)
   if (Ustrcmp(tp->name, ss) == 0)
     {
     DEBUG(D_route) debug_printf("set transport %s\n", ss);
     *tpptr = tp;
     return TRUE;
     }
-  }
 
 addr->basic_errno = ERRNO_BADTRANSPORT;
 addr->message = string_sprintf("transport \"%s\" not found in %s router", ss,