From 44a16f3a2720c33e8d1500fd2812ef91018c8a2c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 29 Aug 2020 19:18:35 +0100 Subject: [PATCH] Taint: enforce checking of directory creates --- src/src/directory.c | 5 ++++- src/src/spool_out.c | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/src/directory.c b/src/src/directory.c index 2d4d565f4..f54a781b7 100644 --- a/src/src/directory.c +++ b/src/src/directory.c @@ -44,6 +44,9 @@ uschar c = 1; struct stat statbuf; uschar * path; +if (is_tainted(name)) + { p = US"create"; path = US name; errno = ERRNO_TAINT; goto bad; } + if (parent) { path = string_sprintf("%s%s%s", parent, US"/", name); @@ -85,7 +88,7 @@ return TRUE; bad: if (panic) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "Failed to %s directory \"%s\": %s\n", p, path, strerror(errno)); + "Failed to %s directory \"%s\": %s\n", p, path, exim_errstr(errno)); return FALSE; } diff --git a/src/src/spool_out.c b/src/src/spool_out.c index 9a514b331..4539e3c69 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -505,6 +505,9 @@ spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to) { uschar * dest_qname = queue_name_dest ? queue_name_dest : queue_name; +/* Since we are working within the spool, de-taint the dest queue name */ +dest_qname = string_copy_taint(dest_qname, FALSE); + /* Create any output directories that do not exist. */ (void) directory_make(spool_directory, -- 2.30.2