From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 25 Dec 2023 16:50:23 +0000 (+0000)
Subject: Testsuite: testcase for "smtp smuggling".  Bug 3063
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/f78e417c3c2e7348ce58bb03efc7343bb6d32383

Testsuite: testcase for "smtp smuggling".  Bug 3063
Also remove the unneeded sync point added in cf1376206284
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 56b0aca9b..a7b8b68c7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -58,10 +58,7 @@ JH/11 Bug 3046: Fix queue-runs.  Previously, the arrivel of a notification or
       the latter being missed, and no further queue scheduled runs being
       initiated.  This ouwld be more likely on high-load systems.
 
-JH/12 Enforce a data synch check before emitting the 354 "go ahead".  Previously
-      this was only done if a pre-data ACL was configured.
-
-JH/13 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
       LF-only mode (as detected from the first header line).  Previously we did
       accept that in (normal) CRLF mode; this has been raised as a possible
       attack scenario (under the name "smtp smuggling").
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index aeaffeb37..541288301 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5113,10 +5113,7 @@ while (done <= 0)
 	dummy call to get the DATA command sent. */
 
 	if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
-	  {
-	  if (!check_sync()) goto SYNC_FAILURE;
 	  rc = OK;
-	  }
 	else
 	  {
 	  uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
diff --git a/test/log/0900 b/test/log/0900
index 00d13e443..a7852da37 100644
--- a/test/log/0900
+++ b/test/log/0900
@@ -16,3 +16,4 @@
 2017-07-30 18:51:05.712 10HmbG-000000005vi-0000 <= some6ne@some.domain H=(tester) [127.0.0.1] Ci=p1243 P=esmtp K S=sss for CALLER@test.ex
 2017-07-30 18:51:05.712 rejected from <someone@some.domain> H=(tester) [127.0.0.1]: Non-CRLF-terminated header, under CHUNKING: message abandoned
 2017-07-30 18:51:05.712 10HmbH-000000005vi-0000 <= someone@some.domain H=(tester) [127.0.0.1] Ci=p1244 P=esmtp K S=sss for CALLER@test.ex
+2017-07-30 18:51:05.712 10HmbI-000000005vi-0000 <= legit@some.domain H=(smuggler) [127.0.0.1] Ci=p1245 P=esmtp S=sss for CALLER@test.ex
diff --git a/test/scripts/0000-Basic/0900 b/test/scripts/0000-Basic/0900
index 4edc82952..9e293c6aa 100644
--- a/test/scripts/0000-Basic/0900
+++ b/test/scripts/0000-Basic/0900
@@ -373,6 +373,39 @@ quit
 ??? 221
 ****
 #
+# Test for smtp-smuggling.  Accepting only one message is good; two is bad.
+client 127.0.0.1 PORT_D
+??? 220
+ehlo smuggler
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-CHUNKING
+??? 250 HELP
+MAIL FROM:<legit@some.domain>
+??? 250
+RCPT TO:<CALLER@test.ex>
+??? 250
+DATA
+??? 354
+Subject: test of smuggled smtp
+
+This is body for initial message
+The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+mail from:<smuggler@y>
+rcpt to:<CALLER@test.ex>
+bdat 86 last
+Subject: send me all your money!
+
+All your bases are belong to us.  Send Bitcoins.
+QUIT
+.
+??? 250
+QUIT
+??? 221
+****
 #
 killdaemon
 no_msglog_check
diff --git a/test/stdout/0900 b/test/stdout/0900
index 9fe0eb7de..a5b8d91f8 100644
--- a/test/stdout/0900
+++ b/test/stdout/0900
@@ -528,3 +528,47 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 221
 <<< 221 testhost.test.ex closing connection
 End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 testhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo smuggler
+??? 250-
+<<< 250-testhost.test.ex Hello smuggler [127.0.0.1]
+??? 250-SIZE
+<<< 250-SIZE 52428800
+??? 250-8BITMIME
+<<< 250-8BITMIME
+??? 250-PIPELINING
+<<< 250-PIPELINING
+??? 250-CHUNKING
+<<< 250-CHUNKING
+??? 250 HELP
+<<< 250 HELP
+>>> MAIL FROM:<legit@some.domain>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test of smuggled smtp
+>>> 
+>>> This is body for initial message
+>>> The next line is a bogus end-of-data attempt, followed by a try at a smuggled message:
+>>> .\n
+>>> mail from:<smuggler@y>
+>>> rcpt to:<CALLER@test.ex>
+>>> bdat 86 last
+>>> Subject: send me all your money!
+>>> 
+>>> All your bases are belong to us.  Send Bitcoins.
+>>> QUIT
+>>> .
+??? 250
+<<< 250 OK id=10HmbI-000000005vi-0000
+>>> QUIT
+??? 221
+<<< 221 testhost.test.ex closing connection
+End of script