SECURITY: Fix safeguard against upward traversal in msglog files.

Credits: Qualys

    3/ In src/deliver.c:

     333 static int
     334 open_msglog_file(uschar *filename, int mode, uschar **error)
     335 {
     336 if (Ustrstr(filename, US"/../"))
     337   log_write(0, LOG_MAIN|LOG_PANIC,
     338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

    Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
    the /../ attempt but will open the file anyway.

(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
(cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0e008c985742a55c362e67ccdc433b845a4ae3b5..313dcbf7ebee35de13df3042095ddbe1dacbd171 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion.
       mode until after various protocol state checks.
       Fixes CVE-2020-BDATA reported by Qualys.
 
+HS/03 Die on "/../" in msglog file names
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/deliver.c b/src/src/deliver.c
index ba2948dfd71b8900e47316f39682f68c7e17da76..cf8ab09ebda1ab2001ed077ac02cf4c211f5f746 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -334,7 +334,7 @@ static int
 open_msglog_file(uschar *filename, int mode, uschar **error)
 {
 if (Ustrstr(filename, US"/../"))
-  log_write(0, LOG_MAIN|LOG_PANIC,
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
 
 for (int i = 2; i > 0; i--)