From: Jeremy Harris Date: Fri, 17 Mar 2023 18:39:46 +0000 (+0000) Subject: ACL: patterns for remove_headers. Bug 2985 X-Git-Tag: exim-4.97-RC0~99 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/1745d310db8102be38db65401df57747e9beaf6a ACL: patterns for remove_headers. Bug 2985 --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index bdc0eb30e..08a197bd7 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -32134,8 +32134,24 @@ Headers will not be removed from the message if the modifier is used in DATA, MIME or DKIM ACLs for a message delivered by cutthrough routing. More than one header can be removed at the same time by using a colon separated -list of header names. The header matching is case insensitive. Wildcards are -not permitted, nor is list expansion performed, so you cannot use hostlists to +list of header specifiers. +.new +If a specifier does not start with a circumflex (^) +then it is treated as a header name. +The header name matching is case insensitive. +If it does, then it is treated as a (front-anchored) +regular expression applied to the whole header. + +&*Note*&: The colon terminating a header name will need to be doubled +if used in an RE, and there can legitimately be whitepace before it. + +Example: +.code +remove_header = \N^(?i)Authentication-Results\s*::\s*example.org;\N +.endd +.wen + +List expansion is not performed, so you cannot use hostlists to create a list of headers, however both connection and message variable expansion are performed (&%$acl_c_*%& and &%$acl_m_*%&), illustrated in this example: .code @@ -32144,14 +32160,14 @@ warn hosts = +internal_hosts warn message = Remove internal headers remove_header = $acl_c_ihdrs .endd -Header names for removal are accumulated during the MAIL, RCPT, and predata ACLs. +Header specifiers for removal are accumulated during the MAIL, RCPT, and predata ACLs. Matching header lines are removed from the message before processing the DATA and MIME ACLs. If multiple header lines match, all are removed. There is no harm in attempting to remove the same header twice nor in removing -a non-existent header. Further header lines to be removed may be accumulated -during the DATA and MIME ACLs, after which they are removed from the message, -if present. In the case of non-SMTP messages, headers to be removed are -accumulated during the non-SMTP ACLs, and are removed from the message after +a non-existent header. Further header specifiers for removal may be accumulated +during the DATA and MIME ACLs, after which matching headers are removed +if present. In the case of non-SMTP messages, remove speifiers are +accumulated during the non-SMTP ACLs, and are acted on after all the ACLs have run. If a message is rejected after DATA or by the non-SMTP ACL, there really is no effect because there is no logging of what headers would have been removed. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 84db8ea58..991bcf741 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -31,6 +31,8 @@ Version 4.97 11. An option for the ${readsocket } expansion to set an SNI for TLS. + 12. The ACL remove_header modifier can take a pattern. + Version 4.96 ------------ diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index dbd57d698..aac8ca77d 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -513,7 +513,9 @@ standard header. add_header = :at_start:${authresults {}} Note that it would be wise to strip incoming messages of A-R headers - that claim to be from our own . + that claim to be from our own . Eg: + + remove_header = \N^(?i)Authentication-Results\s*::\s*example.org;\N There are four new variables: diff --git a/src/src/header.c b/src/src/header.c index d5f1dcd6b..59a9a13b3 100644 --- a/src/src/header.c +++ b/src/src/header.c @@ -30,11 +30,12 @@ Returns: TRUE or FALSE */ BOOL -header_testname(header_line *h, const uschar *name, int len, BOOL notdel) +header_testname(const header_line * h, const uschar * name, int len, + BOOL notdel) { uschar *tt; if (h->type == '*' && notdel) return FALSE; -if (h->text == NULL || strncmpic(h->text, name, len) != 0) return FALSE; +if (!h->text || strncmpic(h->text, name, len) != 0) return FALSE; tt = h->text + len; while (*tt == ' ' || *tt == '\t') tt++; return *tt == ':'; @@ -46,11 +47,11 @@ return *tt == ':'; header_testname() above. */ BOOL -header_testname_incomplete(header_line *h, const uschar *name, +header_testname_incomplete(const header_line * h, const uschar * name, int len, BOOL notdel) { if (h->type == '*' && notdel) return FALSE; -if (h->text == NULL || strncmpic(h->text, name, len) != 0) return FALSE; +if (!h->text || strncmpic(h->text, name, len) != 0) return FALSE; return TRUE; } diff --git a/src/src/local_scan.h b/src/src/local_scan.h index c88994442..72f2ac47d 100644 --- a/src/src/local_scan.h +++ b/src/src/local_scan.h @@ -188,8 +188,8 @@ extern uschar *expand_string(uschar *); extern void header_add(int, const char *, ...); extern void header_add_at_position(BOOL, uschar *, BOOL, int, const char *, ...); extern void header_remove(int, const uschar *); -extern BOOL header_testname(header_line *, const uschar *, int, BOOL); -extern BOOL header_testname_incomplete(header_line *, const uschar *, int, BOOL); +extern BOOL header_testname(const header_line *, const uschar *, int, BOOL); +extern BOOL header_testname_incomplete(const header_line *, const uschar *, int, BOOL); extern void log_write(unsigned int, int, const char *format, ...) PRINTF_FUNCTION(3,4); extern int lss_b64decode(uschar *, uschar **); extern uschar *lss_b64encode(uschar *, int); diff --git a/src/src/receive.c b/src/src/receive.c index 77665d89f..94fa6d5de 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -1230,9 +1230,9 @@ Returns: nothing */ static void -add_acl_headers(int where, uschar *acl_name) +add_acl_headers(int where, uschar * acl_name) { -header_line *last_received = NULL; +header_line * last_received = NULL; switch(where) { @@ -1254,15 +1254,22 @@ if (acl_removed_headers) for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old) { - const uschar * list = acl_removed_headers; + const uschar * list = acl_removed_headers, * s; int sep = ':'; /* This is specified as a colon-separated list */ - uschar *s; + /* If a list element has a leading '^' then it is an RE for + the whole header, else just a header name. */ while ((s = string_nextinlist(&list, &sep, NULL, 0))) - if (header_testname(h, s, Ustrlen(s), FALSE)) + if ( ( *s == '^' + && regex_match( + regex_must_compile(s, MCS_CACHEABLE, FALSE), + h->text, h->slen, NULL) + ) + || header_testname(h, s, Ustrlen(s), FALSE) + ) { h->type = htype_old; - DEBUG(D_receive|D_acl) debug_printf_indent(" %s", h->text); + DEBUG(D_receive|D_acl) debug_printf_indent(" %s", h->text); } } acl_removed_headers = NULL; diff --git a/test/confs/0567 b/test/confs/0567 index 6ee678899..b85f3b5fe 100644 --- a/test/confs/0567 +++ b/test/confs/0567 @@ -58,6 +58,7 @@ data: remove_header = x-data-2 warn log_message = Verified removed header X-Data-3 in this ACL still visible condition = ${if !eq{$h_x-data-3:}{}} + warn remove_header = \N^(?i)Authentication-Results\s*::\s*remove.org;\N accept notsmtp: diff --git a/test/mail/0567.rcptok b/test/mail/0567.rcptok index 48d5f3cbe..e31f56347 100644 --- a/test/mail/0567.rcptok +++ b/test/mail/0567.rcptok @@ -24,6 +24,9 @@ X-Predata-2: Line nineteen X-NotSMTP-1: Line twenty-one X-NotSMTP-2: Line twenty-two X-NotSMTP-3: Line twenty-three +Authentication-Results: keep.org; baz barf +Authentication-Results: keep.org; + multiline Message-Id: From: mailok@test.ex Date: Tue, 2 Mar 1999 09:44:33 +0000 diff --git a/test/scripts/0000-Basic/0567 b/test/scripts/0000-Basic/0567 index a7a43489a..21374436f 100644 --- a/test/scripts/0000-Basic/0567 +++ b/test/scripts/0000-Basic/0567 @@ -33,6 +33,12 @@ X-Predata-1: Line twenty X-NotSMTP-1: Line twenty-one X-NotSMTP-2: Line twenty-two X-NotSMTP-3: Line twenty-three +Authentication-Results: remove.org; foo bar +Authentication-Results: keep.org; baz barf +authentication-Results : REMOVE.ORG; + foo bar multiline +Authentication-Results: keep.org; + multiline Test message .