From 40b8be2e25abb7569a05c839f5d0ab6176307a75 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Sat, 21 Nov 2020 22:41:28 +0100 Subject: [PATCH] SECURITY: Fix safeguard against upward traversal in msglog files. Credits: Qualys 3/ In src/deliver.c: 333 static int 334 open_msglog_file(uschar *filename, int mode, uschar **error) 335 { 336 if (Ustrstr(filename, US"/../")) 337 log_write(0, LOG_MAIN|LOG_PANIC, 338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log the /../ attempt but will open the file anyway. (cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf) (cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976) --- doc/doc-txt/ChangeLog | 2 ++ src/src/deliver.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0e008c985..313dcbf7e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion. mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. +HS/03 Die on "/../" in msglog file names + Exim version 4.94 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index ba2948dfd..cf8ab09eb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -334,7 +334,7 @@ static int open_msglog_file(uschar *filename, int mode, uschar **error) { if (Ustrstr(filename, US"/../")) - log_write(0, LOG_MAIN|LOG_PANIC, + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); for (int i = 2; i > 0; i--) -- 2.30.2