From 942f0be6c2cd3ec8c39ca234a449561d9d3c1075 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 23 Dec 2020 22:35:04 +0000 Subject: [PATCH] Fix ${listextract } from a tainted list --- doc/doc-txt/ChangeLog | 3 +++ src/src/expand.c | 7 ++++--- test/scripts/0000-Basic/0002 | 4 ++++ test/stdout/0002 | 2 ++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 396ec3362..c0f83125d 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -159,6 +159,9 @@ JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option JH/32 Bug 2599: fix delay of delivery to a local address where there is also a remote which uses callout/hold. Previously the local was queued. +JH/33 Fix a taint trap in the ${listextract } expansion when the source data + was tainted. + Exim version 4.94 ----------------- diff --git a/src/src/expand.c b/src/src/expand.c index 21758d832..839821ef7 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -1298,15 +1298,16 @@ expand_getlistele(int field, const uschar * list) { const uschar * tlist = list; int sep = 0; -uschar dummy; +/* Tainted mem for the throwaway element copies */ +uschar * dummy = store_get(2, TRUE); if (field < 0) { - for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++; + for (field++; string_nextinlist(&tlist, &sep, dummy, 1); ) field++; sep = 0; } if (field == 0) return NULL; -while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ; +while (--field > 0 && (string_nextinlist(&list, &sep, dummy, 1))) ; return string_nextinlist(&list, &sep, NULL, 0); } diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002 index 70b4e5f94..5101be453 100644 --- a/test/scripts/0000-Basic/0002 +++ b/test/scripts/0000-Basic/0002 @@ -1107,3 +1107,7 @@ exim -be ${if inlist{aa}{aa} {in list}{not in list}} ${if !inlist{aa}{aa} {not in list}{in list}} **** +# listextract from tainted list +exim -be -oMs my.target.host.name +'\${listextract {2} {<. $sender_host_name}}' => '${listextract {2} {<. $sender_host_name}}' +**** diff --git a/test/stdout/0002 b/test/stdout/0002 index 02ba087ba..b55571cc6 100644 --- a/test/stdout/0002 +++ b/test/stdout/0002 @@ -1034,3 +1034,5 @@ xyz > in list > in list > +> '${listextract {2} {<. my.target.host.name}}' => 'target' +> -- 2.30.2