From f07847e436d1130628717ef92e46b56b293d5fa1 Mon Sep 17 00:00:00 2001
From: Phil Pennock <phil+git@pennock-tech.com>
Date: Thu, 29 Oct 2020 21:38:25 -0400
Subject: [PATCH] SECURITY: default recipients_max to 50,000

A default of "unlimited" can have unfortunate consequences when people start
putting many millions of recipients on a message.

(cherry picked from commit 1d7780722a66cea8da5fa4ae0775e85d185fbf7e)
(cherry picked from commit a6e1f69d82adcfd3caab8f228d96750dfddc8f07)
---
 doc/doc-docbook/spec.xfpt   | 2 +-
 doc/doc-txt/ChangeLog       | 2 ++
 doc/doc-txt/OptionLists.txt | 2 +-
 src/src/globals.c           | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 61abb70c0..68d9c056f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17394,7 +17394,7 @@ or if the message was submitted locally (not using TCP/IP), and the &%-bnq%&
 option was not set.
 
 
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
 .cindex "limit" "number of recipients"
 .cindex "recipient" "maximum number"
 If this option is set greater than zero, it specifies the maximum number of
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5a9c8f214..89a60e757 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -278,6 +278,8 @@ PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
 PP/07 Refuse to allocate too little memory, block negative/zero allocations.
       Security guard.
 
+PP/08 Change default for recipients_max from unlimited to 50,000.
+
 
 Exim version 4.94
 -----------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 183f6b722..59be0a06b 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -466,7 +466,7 @@ receive_timeout                      time            0s            main
 received_header_text                 string*         +             main
 received_headers_max                 integer         30            main
 recipient_unqualified_hosts          host list       unset         main              4.00 replacing receiver_unqualified_hosts
-recipients_max                       integer         0             main              1.60
+recipients_max                       integer         50000         main              1.60 default changed in 4.95 (was 0)
 recipients_max_reject                boolean         false         main              1.70
 redirect_router                      string          unset         routers           4.00
 remote_max_parallel                  integer         1             main
diff --git a/src/src/globals.c b/src/src/globals.c
index c45e8a930..bd874a789 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1295,7 +1295,7 @@ uschar *recipient_verify_failure = NULL;
 int     recipients_count       = 0;
 recipient_item  *recipients_list = NULL;
 int     recipients_list_max    = 0;
-int     recipients_max         = 0;
+int     recipients_max         = 50000;
 const pcre *regex_AUTH         = NULL;
 const pcre *regex_check_dns_names = NULL;
 const pcre *regex_From         = NULL;
-- 
2.30.2