From: Heiko Schlittermann (HS12-RIPE) Date: Sat, 21 Nov 2020 21:41:28 +0000 (+0100) Subject: SECURITY: Fix safeguard against upward traversal in msglog files. X-Git-Tag: exim-4.95-RC0~51^2~33 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/40b8be2e25abb7569a05c839f5d0ab6176307a75?ds=inline;hp=5dad84609e49ce4c45d29ccb98b1b7b1f296d69e SECURITY: Fix safeguard against upward traversal in msglog files. Credits: Qualys 3/ In src/deliver.c: 333 static int 334 open_msglog_file(uschar *filename, int mode, uschar **error) 335 { 336 if (Ustrstr(filename, US"/../")) 337 log_write(0, LOG_MAIN|LOG_PANIC, 338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log the /../ attempt but will open the file anyway. (cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf) (cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976) --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0e008c985..313dcbf7e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion. mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. +HS/03 Die on "/../" in msglog file names + Exim version 4.94 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index ba2948dfd..cf8ab09eb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -334,7 +334,7 @@ static int open_msglog_file(uschar *filename, int mode, uschar **error) { if (Ustrstr(filename, US"/../")) - log_write(0, LOG_MAIN|LOG_PANIC, + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); for (int i = 2; i > 0; i--)