From a9ac2d7fc219e41a353abf1f599258b9b9d21b7e Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 7 Jul 2021 22:19:07 +0100
Subject: [PATCH] Fix tainted message for fakereject

---
 doc/doc-txt/ChangeLog | 4 ++++
 src/src/acl.c         | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cc589c567..dc9d9d8cc 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -320,6 +320,10 @@ JH/56 Make the majority of info read from config files readonly, for defence-in-
       depth against exploits.  Suggestion by Qualsy.
       Not supported on Solaris 10.
 
+JH/57 Fix control=fakreject for a custom message containing tainted data.
+      Previously this resulted in a log complaint, due to a re-expansion present
+      since fakereject was originally introduced.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 1bf118764..89947f405 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3235,13 +3235,15 @@ for (; cb; cb = cb->next)
 
 	case CONTROL_FAKEREJECT:
 	  cancel_cutthrough_connection(TRUE, US"fakereject");
-	  case CONTROL_FAKEDEFER:
+	case CONTROL_FAKEDEFER:
 	  fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
 	  if (*p == '/')
 	    {
 	    const uschar *pp = p + 1;
 	    while (*pp) pp++;
-	    fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
+	    /* The entire control= line was expanded at top so no need to expand
+	    the part after the / */
+	    fake_response_text = string_copyn(p+1, pp-p-1);
 	    p = pp;
 	    }
 	   else /* Explicitly reset to default string */
-- 
2.30.2