From 942f0be6c2cd3ec8c39ca234a449561d9d3c1075 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 23 Dec 2020 22:35:04 +0000
Subject: [PATCH] Fix ${listextract } from a tainted list

---
 doc/doc-txt/ChangeLog        | 3 +++
 src/src/expand.c             | 7 ++++---
 test/scripts/0000-Basic/0002 | 4 ++++
 test/stdout/0002             | 2 ++
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 396ec3362..c0f83125d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -159,6 +159,9 @@ JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
 JH/32 Bug 2599: fix delay of delivery to a local address where there is also
       a remote which uses callout/hold.  Previously the local was queued.
 
+JH/33 Fix a taint trap in the ${listextract } expansion when the source data
+      was tainted.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index 21758d832..839821ef7 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -1298,15 +1298,16 @@ expand_getlistele(int field, const uschar * list)
 {
 const uschar * tlist = list;
 int sep = 0;
-uschar dummy;
+/* Tainted mem for the throwaway element copies */
+uschar * dummy = store_get(2, TRUE);
 
 if (field < 0)
   {
-  for (field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
+  for (field++; string_nextinlist(&tlist, &sep, dummy, 1); ) field++;
   sep = 0;
   }
 if (field == 0) return NULL;
-while (--field > 0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
+while (--field > 0 && (string_nextinlist(&list, &sep, dummy, 1))) ;
 return string_nextinlist(&list, &sep, NULL, 0);
 }
 
diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002
index 70b4e5f94..5101be453 100644
--- a/test/scripts/0000-Basic/0002
+++ b/test/scripts/0000-Basic/0002
@@ -1107,3 +1107,7 @@ exim -be
 ${if inlist{aa}{aa} {in list}{not in list}}
 ${if !inlist{aa}{aa} {not in list}{in list}}
 ****
+# listextract from tainted list
+exim -be -oMs my.target.host.name
+'\${listextract {2} {<. $sender_host_name}}'  =>   '${listextract {2} {<. $sender_host_name}}'
+****
diff --git a/test/stdout/0002 b/test/stdout/0002
index 02ba087ba..b55571cc6 100644
--- a/test/stdout/0002
+++ b/test/stdout/0002
@@ -1034,3 +1034,5 @@ xyz
 > in list
 > in list
 > 
+> '${listextract {2} {<. my.target.host.name}}'  =>   'target'
+> 
-- 
2.30.2