* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2017 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */
with "*" are not settable by the user but are used by the option-reading
software for alternative value types. Some options are publicly visible and so
are stored in the driver instance block. These are flagged with opt_public. */
+#define LOFF(field) OPT_OFF(autoreply_transport_options_block, field)
optionlist autoreply_transport_options[] = {
- { "bcc", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, bcc) },
- { "cc", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, cc) },
- { "file", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, file) },
- { "file_expand", opt_bool,
- (void *)offsetof(autoreply_transport_options_block, file_expand) },
- { "file_optional", opt_bool,
- (void *)offsetof(autoreply_transport_options_block, file_optional) },
- { "from", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, from) },
- { "headers", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, headers) },
- { "log", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, logfile) },
- { "mode", opt_octint,
- (void *)offsetof(autoreply_transport_options_block, mode) },
- { "never_mail", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, never_mail) },
- { "once", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, oncelog) },
- { "once_file_size", opt_int,
- (void *)offsetof(autoreply_transport_options_block, once_file_size) },
- { "once_repeat", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, once_repeat) },
- { "reply_to", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, reply_to) },
- { "return_message", opt_bool,
- (void *)offsetof(autoreply_transport_options_block, return_message) },
- { "subject", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, subject) },
- { "text", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, text) },
- { "to", opt_stringptr,
- (void *)offsetof(autoreply_transport_options_block, to) },
+ { "bcc", opt_stringptr, LOFF(bcc) },
+ { "cc", opt_stringptr, LOFF(cc) },
+ { "file", opt_stringptr, LOFF(file) },
+ { "file_expand", opt_bool, LOFF(file_expand) },
+ { "file_optional", opt_bool, LOFF(file_optional) },
+ { "from", opt_stringptr, LOFF(from) },
+ { "headers", opt_stringptr, LOFF(headers) },
+ { "log", opt_stringptr, LOFF(logfile) },
+ { "mode", opt_octint, LOFF(mode) },
+ { "never_mail", opt_stringptr, LOFF(never_mail) },
+ { "once", opt_stringptr, LOFF(oncelog) },
+ { "once_file_size", opt_int, LOFF(once_file_size) },
+ { "once_repeat", opt_stringptr, LOFF(once_repeat) },
+ { "reply_to", opt_stringptr, LOFF(reply_to) },
+ { "return_message", opt_bool, LOFF(return_message) },
+ { "subject", opt_stringptr, LOFF(subject) },
+ { "text", opt_stringptr, LOFF(text) },
+ { "to", opt_stringptr, LOFF(to) },
};
/* Size of the options list. An extern variable has to be used so that its
static uschar *
checkexpand(uschar *s, address_item *addr, uschar *name, int type)
{
-uschar *t;
uschar *ss = expand_string(s);
-if (ss == NULL)
+if (!ss)
{
addr->transport_return = FAIL;
addr->message = string_sprintf("Expansion of \"%s\" failed in %s transport: "
return NULL;
}
-if (type != cke_text) for (t = ss; *t != 0; t++)
+if (type != cke_text) for (uschar * t = ss; *t != 0; t++)
{
int c = *t;
const uschar * sp;
/* If there is some kind of syntax error, just give up on this header
line. */
- if (next == NULL) break;
+ if (!next) break;
/* See if the address is on the never_mail list */
header_line *h;
time_t now = time(NULL);
time_t once_repeat_sec = 0;
-FILE *f;
+FILE *fp;
FILE *ff = NULL;
autoreply_transport_options_block *ob =
router. Otherwise, the data must be supplied by this transport, and
it has to be expanded here. */
-if (addr->reply != NULL)
+if (addr->reply)
{
DEBUG(D_transport) debug_printf("taking data from address\n");
from = addr->reply->from;
/* If the -N option is set, can't do any more. */
-if (dont_deliver)
+if (f.dont_deliver)
{
DEBUG(D_transport)
debug_printf("*** delivery by %s transport bypassed by -N option\n",
set, instead of a dbm file, we use a regular file containing a circular buffer
recipient cache. */
-if (oncelog && *oncelog != 0 && to)
+if (oncelog && *oncelog && to)
{
time_t then = 0;
+ if (is_tainted(oncelog))
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (once file for %s transport)"
+ " not permitted", oncelog, tblock->name);
+ goto END_OFF;
+ }
+
/* Handle fixed-size cache file. */
if (ob->once_file_size > 0)
{
- uschar * p, * nextp;
+ uschar * nextp;
struct stat statbuf;
- cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);
+ cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);
if (cache_fd < 0 || fstat(cache_fd, &statbuf) != 0)
{
addr->transport_return = DEFER;
+ addr->basic_errno = errno;
addr->message = string_sprintf("Failed to %s \"once\" file %s when "
"sending message from %s transport: %s",
- (cache_fd < 0)? "open" : "stat", oncelog, tblock->name,
- strerror(errno));
+ cache_fd < 0 ? "open" : "stat", oncelog, tblock->name, strerror(errno));
goto END_OFF;
}
cache_size = statbuf.st_size;
add_size = sizeof(time_t) + Ustrlen(to) + 1;
- cache_buff = store_get(cache_size + add_size);
+ cache_buff = store_get(cache_size + add_size, is_tainted(oncelog));
if (read(cache_fd, cache_buff, cache_size) != cache_size)
{
zero. If we find a match, put the time into "then", and the place where it
was found into "cache_time". Otherwise, "then" is left at zero. */
- for (p = cache_buff; p < cache_buff + cache_size; p = nextp)
+ for (uschar * p = cache_buff; p < cache_buff + cache_size; p = nextp)
{
uschar *s = p + sizeof(time_t);
nextp = s + Ustrlen(s) + 1;
else
{
EXIM_DATUM key_datum, result_datum;
- uschar * dirname = string_copy(oncelog);
- uschar * s;
+ uschar * dirname, * s;
- if ((s = Ustrrchr(dirname, '/'))) *s = '\0';
+ dirname = (s = Ustrrchr(oncelog, '/'))
+ ? string_copyn(oncelog, s - oncelog) : NULL;
EXIM_DBOPEN(oncelog, dirname, O_RDWR|O_CREAT, ob->mode, &dbm_file);
if (!dbm_file)
{
addr->transport_return = DEFER;
+ addr->basic_errno = errno;
addr->message = string_sprintf("Failed to open %s file %s when sending "
"message from %s transport: %s", EXIM_DBTYPE, oncelog, tblock->name,
strerror(errno));
if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
{
int log_fd;
+ if (is_tainted(logfile))
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)"
+ " not permitted", logfile, tblock->name);
+ goto END_OFF;
+ }
+
DEBUG(D_transport) debug_printf("message previously sent to %s%s\n", to,
(once_repeat_sec > 0)? " and repeat time not reached" : "");
log_fd = logfile ? Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode) : -1;
}
/* We are going to send a message. Ensure any requested file is available. */
-
if (file)
{
- ff = Ufopen(file, "rb");
- if (!ff && !ob->file_optional)
+ if (is_tainted(file))
{
addr->transport_return = DEFER;
+ addr->basic_errno = EACCES;
+ addr->message = string_sprintf("Tainted '%s' (file for %s transport)"
+ " not permitted", file, tblock->name);
+ return FALSE;
+ }
+ if (!(ff = Ufopen(file, "rb")) && !ob->file_optional)
+ {
+ addr->transport_return = DEFER;
+ addr->basic_errno = errno;
addr->message = string_sprintf("Failed to open file %s when sending "
"message from %s transport: %s", file, tblock->name, strerror(errno));
return FALSE;
/* Make a subprocess to send the message */
-pid = child_open_exim(&fd);
-
-/* Creation of child failed; defer this delivery. */
-
-if (pid < 0)
+if ((pid = child_open_exim(&fd, US"autoreply")) < 0)
{
+ /* Creation of child failed; defer this delivery. */
+
addr->transport_return = DEFER;
+ addr->basic_errno = errno;
addr->message = string_sprintf("Failed to create child process to send "
"message from %s transport: %s", tblock->name, strerror(errno));
DEBUG(D_transport) debug_printf("%s\n", addr->message);
as the -t option is used. The "headers" stuff *must* be last in case there
are newlines in it which might, if placed earlier, screw up other headers. */
-f = fdopen(fd, "wb");
+fp = fdopen(fd, "wb");
-if (from) fprintf(f, "From: %s\n", from);
-if (reply_to) fprintf(f, "Reply-To: %s\n", reply_to);
-if (to) fprintf(f, "To: %s\n", to);
-if (cc) fprintf(f, "Cc: %s\n", cc);
-if (bcc) fprintf(f, "Bcc: %s\n", bcc);
-if (subject) fprintf(f, "Subject: %s\n", subject);
+if (from) fprintf(fp, "From: %s\n", from);
+if (reply_to) fprintf(fp, "Reply-To: %s\n", reply_to);
+if (to) fprintf(fp, "To: %s\n", to);
+if (cc) fprintf(fp, "Cc: %s\n", cc);
+if (bcc) fprintf(fp, "Bcc: %s\n", bcc);
+if (subject) fprintf(fp, "Subject: %s\n", subject);
/* Generate In-Reply-To from the message_id header; there should
always be one, but code defensively. */
{
message_id = Ustrchr(h->text, ':') + 1;
while (isspace(*message_id)) message_id++;
- fprintf(f, "In-Reply-To: %s", message_id);
+ fprintf(fp, "In-Reply-To: %s", message_id);
}
-/* Generate a References header if there is at least one of Message-ID:,
-References:, or In-Reply-To: (see RFC 2822). */
-
-for (h = header_list; h; h = h->next)
- if (h->type != htype_old && strncmpic(US"References:", h->text, 11) == 0)
- break;
-
-if (!h)
- for (h = header_list; h; h = h->next)
- if (h->type != htype_old && strncmpic(US"In-Reply-To:", h->text, 12) == 0)
- break;
-
-/* We limit the total length of references. Although there is no fixed
-limit, some systems do not like headers growing beyond recognition.
-Keep the first message ID for the thread root and the last few for
-the position inside the thread, up to a maximum of 12 altogether. */
-
-if (h || message_id)
- {
- fprintf(f, "References:");
- if (h)
- {
- uschar *s, *id, *error;
- uschar *referenced_ids[12];
- int reference_count = 0;
- int i;
-
- s = Ustrchr(h->text, ':') + 1;
- parse_allow_group = FALSE;
- while (*s != 0 && (s = parse_message_id(s, &id, &error)) != NULL)
- {
- if (reference_count == nelem(referenced_ids))
- {
- memmove(referenced_ids + 1, referenced_ids + 2,
- sizeof(referenced_ids) - 2*sizeof(uschar *));
- referenced_ids[reference_count - 1] = id;
- }
- else referenced_ids[reference_count++] = id;
- }
- for (i = 0; i < reference_count; ++i) fprintf(f, " %s", referenced_ids[i]);
- }
-
- /* The message id will have a newline on the end of it. */
-
- if (message_id) fprintf(f, " %s", message_id);
- else fprintf(f, "\n");
- }
+moan_write_references(fp, message_id);
/* Add an Auto-Submitted: header */
-fprintf(f, "Auto-Submitted: auto-replied\n");
+fprintf(fp, "Auto-Submitted: auto-replied\n");
/* Add any specially requested headers */
-if (headers) fprintf(f, "%s\n", headers);
-fprintf(f, "\n");
+if (headers) fprintf(fp, "%s\n", headers);
+fprintf(fp, "\n");
if (text)
{
- fprintf(f, "%s", CS text);
- if (text[Ustrlen(text)-1] != '\n') fprintf(f, "\n");
+ fprintf(fp, "%s", CS text);
+ if (text[Ustrlen(text)-1] != '\n') fprintf(fp, "\n");
}
if (ff)
debug_printf("error while expanding line from file:\n %s\n %s\n",
big_buffer, expand_string_message);
}
- fprintf(f, "%s", s ? CS s : CS big_buffer);
+ fprintf(fp, "%s", s ? CS s : CS big_buffer);
}
- else fprintf(f, "%s", CS big_buffer);
+ else fprintf(fp, "%s", CS big_buffer);
}
(void) fclose(ff);
}
:
US"------ This is a copy of the message, including all the headers.\n";
transport_ctx tctx = {
- {fileno(f)},
- tblock,
- addr,
- NULL, NULL,
- (tblock->body_only ? topt_no_headers : 0) |
- (tblock->headers_only ? topt_no_body : 0) |
- (tblock->return_path_add ? topt_add_return_path : 0) |
- (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
- (tblock->envelope_to_add ? topt_add_envelope_to : 0)
+ .u = {.fd = fileno(fp)},
+ .tblock = tblock,
+ .addr = addr,
+ .check_string = NULL,
+ .escape_string = NULL,
+ .options = (tblock->body_only ? topt_no_headers : 0)
+ | (tblock->headers_only ? topt_no_body : 0)
+ | (tblock->return_path_add ? topt_add_return_path : 0)
+ | (tblock->delivery_date_add ? topt_add_delivery_date : 0)
+ | (tblock->envelope_to_add ? topt_add_envelope_to : 0)
+ | topt_not_socket
};
if (bounce_return_size_limit > 0 && !tblock->headers_only)
DELIVER_IN_BUFFER_SIZE;
if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max)
{
- fprintf(f, "\n%s"
+ fprintf(fp, "\n%s"
"------ The body of the message is " OFF_T_FMT " characters long; only the first\n"
"------ %d or so are included here.\n\n", rubric, statbuf.st_size,
(max/1000)*1000);
}
- else fprintf(f, "\n%s\n", rubric);
+ else fprintf(fp, "\n%s\n", rubric);
}
- else fprintf(f, "\n%s\n", rubric);
+ else fprintf(fp, "\n%s\n", rubric);
- fflush(f);
+ fflush(fp);
transport_count = 0;
transport_write_message(&tctx, bounce_return_size_limit);
}
/* End the message and wait for the child process to end; no timeout. */
-(void)fclose(f);
+(void)fclose(fp);
rc = child_close(pid, 0);
/* Update the "sent to" log whatever the yield. This errs on the side of
int log_fd = Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode);
if (log_fd >= 0)
{
- uschar *ptr = log_buffer;
+ gstring gs = { .size = LOG_BUFFER_SIZE, .ptr = 0, .s = log_buffer }, *g = &gs;
+
+ /* Use taint-unchecked routines for writing into log_buffer, trusting
+ that we'll never expand it. */
+
DEBUG(D_transport) debug_printf("logging message details\n");
- sprintf(CS ptr, "%s\n", tod_stamp(tod_log));
- while(*ptr) ptr++;
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, "%s\n", tod_stamp(tod_log));
if (from)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " From: %s\n", from);
- while(*ptr) ptr++;
- }
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " From: %s\n", from);
if (to)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " To: %s\n", to);
- while(*ptr) ptr++;
- }
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " To: %s\n", to);
if (cc)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " Cc: %s\n", cc);
- while(*ptr) ptr++;
- }
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " Cc: %s\n", cc);
if (bcc)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " Bcc: %s\n", bcc);
- while(*ptr) ptr++;
- }
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " Bcc: %s\n", bcc);
if (subject)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " Subject: %s\n", subject);
- while(*ptr) ptr++;
- }
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " Subject: %s\n", subject);
if (headers)
- {
- (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
- " %s\n", headers);
- while(*ptr) ptr++;
- }
- if(write(log_fd, log_buffer, ptr - log_buffer) != ptr-log_buffer
- || close(log_fd))
+ g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s\n", headers);
+ if(write(log_fd, g->s, g->ptr) != g->ptr || close(log_fd))
DEBUG(D_transport) debug_printf("Problem writing log file %s for %s "
"transport\n", logfile, tblock->name);
}
git://git.exim.org / users / heiko / exim.git / blobdiff