From 62b2ccce05a9a3127736d84d20e2bbe7b0885287 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 29 Jun 2020 17:14:07 +0100
Subject: [PATCH] Taint: fix ACL "spam" condition, to permit tainted name
 arguments.

---
 doc/doc-txt/ChangeLog |  4 ++++
 src/src/spam.c        | 26 +++++++++-----------------
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index b2b9a74b8..41a9629cf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -69,6 +69,10 @@ JH/13 Fix dsearch "subdir" filter to ignore ".".  Previously only ".." was
 JH/14 Bug 2606: Fix a segfault in sqlite lookups.  When no, or a bad, filename
       was given for the sqlite_dbfile a trap resulted.
 
+JH/15 Fix "spam" ACL condition.  Previously, tainted values for the "name"
+      argument resulted in a trap.  There is no reason to disallow such; this
+      was a coding error.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/spam.c b/src/src/spam.c
index 5eff1ad5c..bd34dba82 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -190,7 +190,6 @@ spam(const uschar **listptr)
 int sep = 0;
 const uschar *list = *listptr;
 uschar *user_name;
-uschar user_name_buffer[128];
 unsigned long mbox_size;
 FILE *mbox_file;
 client_conn_ctx spamd_cctx = {.sock = -1};
@@ -218,17 +217,14 @@ spamd_address_container * sd;
 result = 0;
 
 /* find the username from the option list */
-if ((user_name = string_nextinlist(&list, &sep,
-				   user_name_buffer,
-				   sizeof(user_name_buffer))) == NULL)
+if (!(user_name = string_nextinlist(&list, &sep, NULL, 0)))
   {
   /* no username given, this means no scanning should be done */
   return FAIL;
   }
 
 /* if username is "0" or "false", do not scan */
-if ( (Ustrcmp(user_name,"0") == 0) ||
-     (strcmpic(user_name,US"false") == 0) )
+if (Ustrcmp(user_name, "0") == 0 || strcmpic(user_name, US"false") == 0)
   return FAIL;
 
 /* if there is an additional option, check if it is "true" */
@@ -237,19 +233,15 @@ if (strcmpic(list,US"true") == 0)
   override = 1;
 
 /* expand spamd_address if needed */
-if (*spamd_address == '$')
+if (*spamd_address != '$')
+  spamd_address_work = spamd_address;
+else if (!(spamd_address_work = expand_string(spamd_address)))
   {
-  spamd_address_work = expand_string(spamd_address);
-  if (spamd_address_work == NULL)
-    {
-    log_write(0, LOG_MAIN|LOG_PANIC,
-      "%s spamd_address starts with $, but expansion failed: %s",
-      loglabel, expand_string_message);
-    return DEFER;
-    }
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "%s spamd_address starts with $, but expansion failed: %s",
+    loglabel, expand_string_message);
+  return DEFER;
   }
-else
-  spamd_address_work = spamd_address;
 
 DEBUG(D_acl) debug_printf_indent("spamd: addrlist '%s'\n", spamd_address_work);
 
-- 
2.30.2