Taint: fix listcount expansion operator. Bug 2586

author Jeremy Harris <jgh146exb@wizmail.org>

Tue, 2 Jun 2020 14:03:36 +0000 (15:03 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Tue, 2 Jun 2020 14:48:58 +0000 (15:48 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Tue, 2 Jun 2020 14:03:36 +0000 (15:03 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Tue, 2 Jun 2020 14:48:58 +0000 (15:48 +0100)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog

index dbdc221171c12e56eecdbe39f1c9fd0045f9deca..94bcea29bdff9713a81cba2bf4e8fa406c6fb4bb 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,6 +11,10 @@ JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
        buffer was taking a taint-enformance trap.  Fix by using dynamically
        created buffers.
  
+JH/03 Bug 2586: Fix listcount expansion operator.  Using tainted arguments is
+      reasonable, eg. to count headers.  Fix by using dynamically created
+      buffers rather than a local,
+
  
  Exim version 4.94
  -----------------
diff --git a/src/src/expand.c b/src/src/expand.c

index 26f7f10acfed2bb61ba423c60014927410ef2af5..6ed22c14d958a95a80a481f3264b4fd39fbccc4c 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -7208,9 +7208,8 @@ while (*s != 0)
          {
         int cnt = 0;
         int sep = 0;
-       uschar buffer[256];
  
-       while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++;
+       while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;
         yield = string_fmt_append(yield, "%d", cnt);
          continue;
          }
author	Jeremy Harris <jgh146exb@wizmail.org>
	Tue, 2 Jun 2020 14:03:36 +0000 (15:03 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Tue, 2 Jun 2020 14:48:58 +0000 (15:48 +0100)
doc/doc-txt/ChangeLog		patch \| blob \| history
src/src/expand.c		patch \| blob \| history