From 44644c2e404a3ea0191db0b0458e86924fb240bb Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 2 Jun 2020 15:03:36 +0100 Subject: [PATCH] Taint: fix listcount expansion operator. Bug 2586 --- doc/doc-txt/ChangeLog | 6 +++++- src/src/expand.c | 3 +-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 93bd62cc4..240dc7538 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -11,10 +11,14 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail- says that "M" should be, so change to match. JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used - as arguments, so an implementation trying to copy these into local + as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enformance trap. Fix by using dynamically created buffers. +JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is + reasonable, eg. to count headers. Fix by using dynamically created + buffers rather than a local, + Exim version 4.94 ----------------- diff --git a/src/src/expand.c b/src/src/expand.c index b014533c9..b01512425 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -7208,9 +7208,8 @@ while (*s != 0) { int cnt = 0; int sep = 0; - uschar buffer[256]; - while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++; + while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++; yield = string_fmt_append(yield, "%d", cnt); continue; } -- 2.30.2