From: Jeremy Harris Date: Mon, 25 Jan 2021 14:55:06 +0000 (+0000) Subject: AUTH: avoid logging creds on ACL denial X-Git-Tag: exim-4.95-RC0~145 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/37a81ae7317bb78b2ff152821930c2ff0873512b AUTH: avoid logging creds on ACL denial --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e1381c156..b20991280 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -180,6 +180,10 @@ JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext JH/37 Enforce the expected size, for fixed-size records read from hints-DB files. For bad sizes read, delete the record and whine to paniclog. +JH/38 When logging an AUTH failure, as server, do not include sensitive + information. Previously, the credentials would be included if given + as part of the AUTH command line and an ACL denied authentidcation. + Exim version 4.94 diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 0467b2257..14dd11498 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3279,18 +3279,7 @@ int codelen = 3; uschar *smtp_code; uschar *lognl; uschar *sender_info = US""; -uschar *what = -#ifdef WITH_CONTENT_SCAN - where == ACL_WHERE_MIME ? US"during MIME ACL checks" : -#endif - where == ACL_WHERE_PREDATA ? US"DATA" : - where == ACL_WHERE_DATA ? US"after DATA" : -#ifndef DISABLE_PRDR - where == ACL_WHERE_PRDR ? US"after DATA PRDR" : -#endif - smtp_cmd_data ? - string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data) : - string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]); +uschar *what; if (drop) rc = FAIL; @@ -3306,19 +3295,45 @@ fixed, sender_address at this point became the rewritten address. I'm not sure this is what should be logged, so I've changed to logging the unrewritten address to retain backward compatibility. */ -#ifndef WITH_CONTENT_SCAN -if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA) -#else -if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME) +switch (where) + { +#ifdef WITH_CONTENT_SCAN + case ACL_WHERE_MIME: what = US"during MIME ACL checks"; break; +#endif + case ACL_WHERE_PREDATA: what = US"DATA"; break; + case ACL_WHERE_DATA: what = US"after DATA"; break; +#ifndef DISABLE_PRDR + case ACL_WHERE_PRDR: what = US"after DATA PRDR"; break; #endif + default: + { + uschar * place = smtp_cmd_data ? smtp_cmd_data : US"in \"connect\" ACL"; + int lim = 100; + + if (where == ACL_WHERE_AUTH) /* avoid logging auth creds */ + { + uschar * s; + for (s = smtp_cmd_data; *s && !isspace(*s); ) s++; + lim = s - smtp_cmd_data; /* atop after method */ + } + what = string_sprintf("%s %.*s", acl_wherenames[where], lim, place); + } + } +switch (where) { - sender_info = string_sprintf("F=<%s>%s%s%s%s ", - sender_address_unrewritten ? sender_address_unrewritten : sender_address, - sender_host_authenticated ? US" A=" : US"", - sender_host_authenticated ? sender_host_authenticated : US"", - sender_host_authenticated && authenticated_id ? US":" : US"", - sender_host_authenticated && authenticated_id ? authenticated_id : US"" - ); + case ACL_WHERE_RCPT: + case ACL_WHERE_DATA: +#ifdef WITH_CONTENT_SCAN + case ACL_WHERE_MIME: +#endif + sender_info = string_sprintf("F=<%s>%s%s%s%s ", + sender_address_unrewritten ? sender_address_unrewritten : sender_address, + sender_host_authenticated ? US" A=" : US"", + sender_host_authenticated ? sender_host_authenticated : US"", + sender_host_authenticated && authenticated_id ? US":" : US"", + sender_host_authenticated && authenticated_id ? authenticated_id : US"" + ); + break; } /* If there's been a sender verification failure with a specific message, and @@ -4035,21 +4050,18 @@ while (done <= 0) /* Find the name of the requested authentication mechanism. */ s = smtp_cmd_data; - while ((c = *smtp_cmd_data) != 0 && !isspace(c)) - { + for (; (c = *smtp_cmd_data) && !isspace(c); smtp_cmd_data++) if (!isalnum(c) && c != '-' && c != '_') { done = synprot_error(L_smtp_syntax_error, 501, NULL, US"invalid character in authentication mechanism name"); goto COMMAND_LOOP; } - smtp_cmd_data++; - } /* If not at the end of the line, we must be at white space. Terminate the name and move the pointer on to any data that may be present. */ - if (*smtp_cmd_data != 0) + if (*smtp_cmd_data) { *smtp_cmd_data++ = 0; while (isspace(*smtp_cmd_data)) smtp_cmd_data++; diff --git a/test/log/3450 b/test/log/3450 index 3fcb043eb..5f2fe4239 100644 --- a/test/log/3450 +++ b/test/log/3450 @@ -1,4 +1,4 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH +1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH diff --git a/test/log/3460 b/test/log/3460 index 3fcb043eb..5f2fe4239 100644 --- a/test/log/3460 +++ b/test/log/3460 @@ -1,4 +1,4 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH +1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH diff --git a/test/rejectlog/3450 b/test/rejectlog/3450 index b2fa6d6df..880086838 100644 --- a/test/rejectlog/3450 +++ b/test/rejectlog/3450 @@ -1,3 +1,3 @@ ******** SERVER ******** -1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH +1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH diff --git a/test/rejectlog/3460 b/test/rejectlog/3460 index b2fa6d6df..880086838 100644 --- a/test/rejectlog/3460 +++ b/test/rejectlog/3460 @@ -1,3 +1,3 @@ ******** SERVER ******** -1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH +1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH