Fix tainted message for fakereject

author Jeremy Harris <jgh146exb@wizmail.org>

Wed, 7 Jul 2021 21:19:07 +0000 (22:19 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Wed, 7 Jul 2021 21:23:03 +0000 (22:23 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Wed, 7 Jul 2021 21:19:07 +0000 (22:19 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Wed, 7 Jul 2021 21:23:03 +0000 (22:23 +0100)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog

index cc589c5678c0b3c5405f02a5cef392ec947dc3ba..dc9d9d8cc87e471553c3b4d0422cc6b7301279ed 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -320,6 +320,10 @@ JH/56 Make the majority of info read from config files readonly, for defence-in-
        depth against exploits.  Suggestion by Qualsy.
        Not supported on Solaris 10.
  
        depth against exploits.  Suggestion by Qualsy.
        Not supported on Solaris 10.
  
+JH/57 Fix control=fakreject for a custom message containing tainted data.
+      Previously this resulted in a log complaint, due to a re-expansion present
+      since fakereject was originally introduced.
+
  
  Exim version 4.94
  -----------------
  
  Exim version 4.94
  -----------------
diff --git a/src/src/acl.c b/src/src/acl.c

index 1bf118764baa1b1e67b8f38fa8dd4df56f9d9695..89947f405836db9d3490658ec5799d7203f5d86b 100644 (file)
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3235,13 +3235,15 @@ for (; cb; cb = cb->next)
  
         case CONTROL_FAKEREJECT:
           cancel_cutthrough_connection(TRUE, US"fakereject");
  
         case CONTROL_FAKEREJECT:
           cancel_cutthrough_connection(TRUE, US"fakereject");
-         case CONTROL_FAKEDEFER:
+       case CONTROL_FAKEDEFER:
           fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
           if (*p == '/')
             {
             const uschar *pp = p + 1;
             while (*pp) pp++;
           fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
           if (*p == '/')
             {
             const uschar *pp = p + 1;
             while (*pp) pp++;
-           fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
+           /* The entire control= line was expanded at top so no need to expand
+           the part after the / */
+           fake_response_text = string_copyn(p+1, pp-p-1);
             p = pp;
             }
            else /* Explicitly reset to default string */
             p = pp;
             }
            else /* Explicitly reset to default string */
author	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 7 Jul 2021 21:19:07 +0000 (22:19 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Wed, 7 Jul 2021 21:23:03 +0000 (22:23 +0100)
doc/doc-txt/ChangeLog		patch \| blob \| history
src/src/acl.c		patch \| blob \| history