SECURITY: Fix safeguard against upward traversal in msglog files.

Credits: Qualys

    3/ In src/deliver.c:

     333 static int
     334 open_msglog_file(uschar *filename, int mode, uschar **error)
     335 {
     336 if (Ustrstr(filename, US"/../"))
     337   log_write(0, LOG_MAIN|LOG_PANIC,
     338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

    Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
    the /../ attempt but will open the file anyway.

(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 87f1952f5b56ef272be56b77f2fb21fbe4588fdb..98c1b05e26929715ccf60c5028e883b554888ac2 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -205,6 +205,8 @@ PP/11 Fix security issue in BDAT state confusion.
       mode until after various protocol state checks.
       Fixes CVE-2020-BDATA reported by Qualys.
 
+HS/03 Die on "/../" in msglog file names
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/deliver.c b/src/src/deliver.c
index d85edd70ecf6f86031db263b59e6f532720dd3fb..389f2fb4c06980d63c1f1c36dd85f9110726c7db 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -334,7 +334,7 @@ static int
 open_msglog_file(uschar *filename, int mode, uschar **error)
 {
 if (Ustrstr(filename, US"/../"))
-  log_write(0, LOG_MAIN|LOG_PANIC,
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
 
 for (int i = 2; i > 0; i--)