From ed1620555d261c5e970dbbe873bf4b19026b0e48 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 11 Jan 2020 21:51:42 +0000
Subject: [PATCH] ACL: taint-enforce queue modifier

---
 doc/doc-txt/ChangeLog | 1 +
 src/src/acl.c         | 6 ++++++
 test/confs/0576       | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 368d37ec1..29059ffa5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -92,6 +92,7 @@ JH/20 Taint checking: disallow use of tainted data for
       - the pipe transport command
       - the autoreply transport file, log and once options
       - file names used by the redirect router (including filter files)
+      - named-queue names
       Previously this was permitted.
 
 
diff --git a/src/src/acl.c b/src/src/acl.c
index 7284831a6..3166069ba 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -3590,6 +3590,12 @@ for (; cb; cb = cb->next)
     #endif
 
     case ACLC_QUEUE:
+    if (is_tainted(arg))
+      {
+      *log_msgptr = string_sprintf("Tainted name '%s' for queue not permitted",
+				    arg);
+      return ERROR;
+      }
     if (Ustrchr(arg, '/'))
       {
       *log_msgptr = string_sprintf(
diff --git a/test/confs/0576 b/test/confs/0576
index b75b67804..5b023d280 100644
--- a/test/confs/0576
+++ b/test/confs/0576
@@ -16,7 +16,7 @@ begin acl
 
 rcpt:
   accept
-    queue = ${if eq {normal}{$local_part} {} {$local_part}}
+    queue = ${if eq {normal}{$local_part} {} {${bless:$local_part}}}
     logwrite = using queue '$queue_name'
 
 #---------------
-- 
2.30.2