out as prompts, and get a data item back. If the data item is "*", abandon the
authentication attempt. Otherwise, split it into items as above. */
-while ( (s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
+while ( (s = string_nextinlist(&prompts, &sep, NULL, 0))
&& expand_nmax < EXPAND_MAXN)
if (number++ > expand_nmax)
if ((rc = auth_prompt(CUS s)) != OK)
}
/* loop through numbers */
+ /* option_list doesn't seem to be expanded so cannot be tainted. If it ever is we
+ will trap here */
rule_ptr = option_list;
while ((rule_num = string_nextinlist(&rule_ptr, &sep,
- rule_buffer, 32)) != NULL) {
+ rule_buffer, sizeof(rule_buffer)))) {
int rule_int = -1;
/* try to translate to int */
list = tls_in.on_connect_ports;
sep = 0;
+ /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
if (!isdigit(*s))
{
uschar *pattern;
uschar patbuf[256];
+/*XXX The list is used before expansion. Not sure how that ties up with the docs */
while ( *aptr
&& (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
)
int len = Ustrlen(ALT_CONFIG_PREFIX);
const uschar *list = argrest;
uschar *filename;
+ /* The argv is untainted, so big_buffer (also untainted) is ok to use */
while((filename = string_nextinlist(&list, &sep, big_buffer,
big_buffer_size)))
if ( ( Ustrlen(filename) < len
uschar * item;
uschar * suffix = US"";
BOOL needsep = FALSE;
- uschar buffer[256];
+#define LISTNAMED_BUF_SIZE 256
+ uschar b[LISTNAMED_BUF_SIZE];
+ uschar * buffer = b;
if (*sub == '+') sub++;
if (!arg) /* no-argument version */
list = ((namedlist_block *)(t->data.ptr))->string;
- while ((item = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+ /* The list could be quite long so we (re)use a buffer for each element
+ rather than getting each in new memory */
+
+ if (is_tainted(list)) buffer = store_get(LISTNAMED_BUF_SIZE, TRUE);
+ while ((item = string_nextinlist(&list, &sep, buffer, LISTNAMED_BUF_SIZE)))
{
uschar * buf = US" : ";
if (needsep)
else if (subtype == FALSE)
{
int sep = 0;
- uschar *ss;
- const uschar *list = s;
- uschar buffer[128];
- while ((ss = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))
- != NULL)
+ const uschar * list = s;
+
+ for (uschar * ss; ss = string_nextinlist(&list, &sep, NULL, 0); )
header_remove(0, ss);
}
host_is_tls_on_connect_port(int port)
{
int sep = 0;
-uschar buffer[32];
-const uschar *list = tls_in.on_connect_ports;
-uschar *s;
-uschar *end;
+const uschar * list = tls_in.on_connect_ports;
if (tls_in.on_connect) return TRUE;
-while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+for (uschar * s, * end; s = string_nextinlist(&list, &sep, NULL, 0); )
if (Ustrtol(s, &end, 10) == port)
return TRUE;
int sep = 0;
uschar *server;
uschar *list = ibase_servers;
-uschar buffer[512];
DEBUG(D_lookup) debug_printf_indent("Interbase query: %s\n", query);
-while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
{
BOOL defer_break = FALSE;
int rc = perform_ibase_search(query, server, result, errmsg, &defer_break);
int sep = 0;
uschar *server;
uschar *list = oracle_servers;
-uschar buffer[512];
do_cache = do_cache; /* Placate picky compilers */
DEBUG(D_lookup) debug_printf_indent("ORACLE query: %s\n", query);
-while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+while ((server = string_nextinlist(&list, &sep, NULL, 0)))
{
BOOL defer_break;
int rc = perform_oracle_search(query, server, result, errmsg, &defer_break);
{
int watchdog = 50;
uschar *list, *ss;
- uschar buffer[1024];
if (sdomain == subject + 1 && *subject == '*') return FAIL;
/* Look up the local parts provided by the list; negation is permitted.
If a local part has to begin with !, a regex can be used. */
- while ((ss = string_nextinlist(CUSS &list, &sep, buffer, sizeof(buffer))))
+ while ((ss = string_nextinlist(CUSS &list, &sep, NULL, 0)))
{
int local_yield;
uschar *item, *localpart, *domain;
const uschar *listptr = errors_copy;
uschar *yield = NULL;
-uschar buffer[256];
int sep = 0;
int llen;
/* Scan through the configured items */
-while ((item = string_nextinlist(&listptr, &sep, buffer, sizeof(buffer))))
+while ((item = string_nextinlist(&listptr, &sep, NULL, 0)))
{
const uschar *newaddress = item;
const uschar *pattern = string_dequote(&newaddress);
flagptr = (int *)ol3->v.value;
}
+ /* This will trap if sptr is tainted. Not sure if that can happen */
while ((p = string_nextinlist(CUSS &sptr, &sep, big_buffer, BIG_BUFFER_SIZE)))
{
rewrite_rule *next = readconf_one_rewrite(p, flagptr, FALSE);
while (count-- > 1)
{
int sep = 0;
+ /* If p is tainted we trap. Not sure that can happen */
(void)string_nextinlist(&p, &sep, big_buffer, BIG_BUFFER_SIZE);
if (!route_finduser(big_buffer, NULL, &uid))
log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "user %s was not found",
while (count-- > 1)
{
int sep = 0;
+ /* If p is tainted we trap. Not sure that can happen */
(void)string_nextinlist(&p, &sep, big_buffer, BIG_BUFFER_SIZE);
if (!route_findgroup(big_buffer, &gid))
log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, "group %s was not found",
/* Loop through the possible file names */
+/* Should never be a tainted list */
while((filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
{
"\"%s\": %s", log_file_path, expand_string_message);
ss = s;
+ /* should never be a tainted list */
while ((sss = string_nextinlist(&ss, &sep, big_buffer, big_buffer_size)))
{
uschar *t;
empty item in a list. */
if (*p == 0) p = US":";
+ /* should never be a tainted list */
while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
if (Ustrcmp(path, "syslog") != 0)
break;
const uschar * list = acl_removed_headers;
int sep = ':'; /* This is specified as a colon-separated list */
uschar *s;
- uschar buffer[128];
- while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+ while ((s = string_nextinlist(&list, &sep, NULL, 0)))
if (header_testname(h, s, Ustrlen(s), FALSE))
{
h->type = htype_old;
BOOL ugid_set = FALSE;
const uschar *listptr;
uschar *check;
-uschar buffer[1024];
if (!s) return OK;
DEBUG(D_route) debug_printf("checking require_files\n");
listptr = s;
-while ((check = string_nextinlist(&listptr, &sep, buffer, sizeof(buffer))))
+while ((check = string_nextinlist(&listptr, &sep, NULL, 0)))
{
int rc;
int eacces_code = 0;
&& (verify != v_sender || !ob->rewrite_headers || addr->parent))
{
listptr = ob->widen_domains;
+ /* not expanded so should never be tainted */
widen = string_nextinlist(&listptr, &widen_sep, widen_buffer,
sizeof(widen_buffer));
else if (widen)
{
h.name = string_sprintf("%s.%s", addr->domain, widen);
+ /* not expanded so should never be tainted */
widen = string_nextinlist(&listptr, &widen_sep, widen_buffer,
sizeof(widen_buffer));
DEBUG(D_route) debug_printf("%s router widened %s to %s\n", rblock->name,
being a host list. */
listptr = ob->hosts;
+/* not expanded so should never be tainted */
while ((hostname = string_nextinlist(&listptr, &sep, host_buffer,
sizeof(host_buffer))))
{
Uskip_whitespace(&expint);
if (!*expint) return TRUE;
+/* we just tested to ensure no taint, so big_buffer is ok */
while ((iface = string_nextinlist(&expint, &sep, big_buffer,
big_buffer_size)))
{
co = 0;
if (srs_config != NULL)
{
+ /* looks like list not expanded, so cannot be tainted */
secret = string_nextinlist(&list, &co, secret_buf, SRS_MAX_SECRET_LENGTH);
if ((sbufp = string_nextinlist(&list, &co, sbuf, sizeof(sbuf))))
co = 0;
list = srs_secrets;
if (secret == NULL || *secret == '\0')
+ /* looks like list not expanded so cannot be tainted */
if (!(secret = string_nextinlist(&list, &co, secret_buf, SRS_MAX_SECRET_LENGTH)))
{
log_write(0, LOG_MAIN | LOG_PANIC,
srs_set_option(srs, SRS_OPTION_USEHASH, usehash);
/* Extra secrets? */
+ /* looks like list not expanded so cannot be tainted */
while((secret = string_nextinlist(&list, &co, secret_buf, SRS_MAX_SECRET_LENGTH)))
srs_add_secret(srs, secret,
Ustrlen(secret) > SRS_MAX_SECRET_LENGTH ? SRS_MAX_SECRET_LENGTH : Ustrlen(secret));
separator a pointer to the separator character in an int (see above)
buffer where to put a copy of the next string in the list; or
NULL if the next string is returned in new memory
+ Note that if the list is tainted then a provided buffer must be
+ also (else we trap, with a message referencing the callsite).
+ If we do the allocation, taint is handled there.
buflen when buffer is not NULL, the size of buffer; otherwise ignored
Returns: pointer to buffer, containing the next substring,
/* Search the formats for a match */
-while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size)))
+/* not expanded so cannot be tainted */
+while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
{
int slen = Ustrlen(s);
BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
git://git.exim.org / exim.git / commitdiff