From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 3 Jun 2020 10:40:17 +0000 (+0100)
Subject: Taint: fix multiple ACL actions to properly manage tainted argument data
X-Git-Tag: exim-4.95-RC0~339
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/12b7f811de4a540d0724585aecfa33b5881e2a30

Taint: fix multiple ACL actions to properly manage tainted argument data
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 19a1b1785..d9959d5ac 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -17,7 +17,9 @@ JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
 
 JH/03 Bug 2586: Fix listcount expansion operator.  Using tainted arguments is
       reasonable, eg. to count headers.  Fix by using dynamically created
-      buffers rather than a local,
+      buffers rather than a local.  Do similar fixes for ACL actions "dcc",
+      "log_reject_target", "malware" and "spam"; the arguments are expanded
+      so could be handling tainted values.
 
 
 Exim version 4.94
diff --git a/src/src/acl.c b/src/src/acl.c
index 57a07296f..2a52ce7b2 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3420,11 +3420,11 @@ for (; cb; cb = cb->next)
       {
       /* Separate the regular expression and any optional parameters. */
       const uschar * list = arg;
-      uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
       /* Run the dcc backend. */
       rc = dcc_process(&ss);
       /* Modify return code based upon the existence of options. */
-      while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
         if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
           rc = FAIL;   /* FAIL so that the message is passed to the next ACL */
       }
@@ -3585,7 +3585,7 @@ for (; cb; cb = cb->next)
       int sep = 0;
       const uschar *s = arg;
       uschar * ss;
-      while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size)))
+      while ((ss = string_nextinlist(&s, &sep, NULL, 0)))
         {
         if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
         else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
@@ -3638,7 +3638,7 @@ for (; cb; cb = cb->next)
       {
       /* Separate the regular expression and any optional parameters. */
       const uschar * list = arg;
-      uschar * ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+      uschar * ss = string_nextinlist(&list, &sep, NULL, 0);
       uschar * opt;
       BOOL defer_ok = FALSE;
       int timeout = 0;
@@ -3743,11 +3743,11 @@ for (; cb; cb = cb->next)
       {
       /* Separate the regular expression and any optional parameters. */
       const uschar * list = arg;
-      uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
+      uschar *ss = string_nextinlist(&list, &sep, NULL, 0);
 
       rc = spam(CUSS &ss);
       /* Modify return code based upon the existence of options. */
-      while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+      while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
         if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
           rc = FAIL;	/* FAIL so that the message is passed to the next ACL */
       }