SECURITY: default recipients_max to 50,000

A default of "unlimited" can have unfortunate consequences when people start
putting many millions of recipients on a message.

(cherry picked from commit 1d7780722a66cea8da5fa4ae0775e85d185fbf7e)
(cherry picked from commit a6e1f69d82adcfd3caab8f228d96750dfddc8f07)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 61abb70c0751b8f368f1706f75a38a979a22aea4..68d9c056f6623fb9c51c1987f1ae7f4262cf0c53 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17394,7 +17394,7 @@ or if the message was submitted locally (not using TCP/IP), and the &%-bnq%&
 option was not set.
 
 
 option was not set.
 
 

-.option recipients_max main integer 0
+.option recipients_max main integer 50000

 .cindex "limit" "number of recipients"
 .cindex "recipient" "maximum number"
 If this option is set greater than zero, it specifies the maximum number of
 .cindex "limit" "number of recipients"
 .cindex "recipient" "maximum number"
 If this option is set greater than zero, it specifies the maximum number of

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5a9c8f21441569268b3dcc907a95e5a70660c113..89a60e7579f086a00228259bb7b0606d1b59589d 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -278,6 +278,8 @@ PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
 PP/07 Refuse to allocate too little memory, block negative/zero allocations.
       Security guard.
 
 PP/07 Refuse to allocate too little memory, block negative/zero allocations.
       Security guard.
 

+PP/08 Change default for recipients_max from unlimited to 50,000.
+

 
 Exim version 4.94
 -----------------
 
 Exim version 4.94
 -----------------

diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 183f6b7220e3c0e12ab6e328709972bc26bb3408..59be0a06bc69ec72ec95a90141e5f2b81c4274b5 100644 (file)
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -466,7 +466,7 @@ receive_timeout                      time            0s            main
 received_header_text                 string*         +             main
 received_headers_max                 integer         30            main
 recipient_unqualified_hosts          host list       unset         main              4.00 replacing receiver_unqualified_hosts
 received_header_text                 string*         +             main
 received_headers_max                 integer         30            main
 recipient_unqualified_hosts          host list       unset         main              4.00 replacing receiver_unqualified_hosts

-recipients_max                       integer         0             main              1.60
+recipients_max                       integer         50000         main              1.60 default changed in 4.95 (was 0)

 recipients_max_reject                boolean         false         main              1.70
 redirect_router                      string          unset         routers           4.00
 remote_max_parallel                  integer         1             main
 recipients_max_reject                boolean         false         main              1.70
 redirect_router                      string          unset         routers           4.00
 remote_max_parallel                  integer         1             main

diff --git a/src/src/globals.c b/src/src/globals.c
index c45e8a9308d86c7fb23ff25fed9b6222f803d382..bd874a789c8ba26d153a2406ad164d9c8f20beaa 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1295,7 +1295,7 @@ uschar *recipient_verify_failure = NULL;
 int     recipients_count       = 0;
 recipient_item  *recipients_list = NULL;
 int     recipients_list_max    = 0;
 int     recipients_count       = 0;
 recipient_item  *recipients_list = NULL;
 int     recipients_list_max    = 0;

-int     recipients_max         = 0;
+int     recipients_max         = 50000;

 const pcre *regex_AUTH         = NULL;
 const pcre *regex_check_dns_names = NULL;
 const pcre *regex_From         = NULL;
 const pcre *regex_AUTH         = NULL;
 const pcre *regex_check_dns_names = NULL;
 const pcre *regex_From         = NULL;