AUTH: avoid logging creds on ACL denial

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e1381c156fe3d3f9b3e637d4df71500d46cb8fab..b209912802ba4210616a85308e0fa83ce3f0738d 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -180,6 +180,10 @@ JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
 JH/37 Enforce the expected size, for fixed-size records read from hints-DB
       files.  For bad sizes read, delete the record and whine to paniclog.
 
 JH/37 Enforce the expected size, for fixed-size records read from hints-DB
       files.  For bad sizes read, delete the record and whine to paniclog.
 

+JH/38 When logging an AUTH failure, as server, do not include sensitive
+      information. Previously, the credentials would be included if given
+      as part of the AUTH command line and an ACL denied authentidcation.
+

 
 
 Exim version 4.94
 
 
 Exim version 4.94

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 0467b22574ad127932a4b689778a54d1bc8f0102..14dd11498c74673848d29b631018d6654ffb0d52 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3279,18 +3279,7 @@ int codelen = 3;
 uschar *smtp_code;
 uschar *lognl;
 uschar *sender_info = US"";
 uschar *smtp_code;
 uschar *lognl;
 uschar *sender_info = US"";

-uschar *what =
-#ifdef WITH_CONTENT_SCAN
-  where == ACL_WHERE_MIME ? US"during MIME ACL checks" :
-#endif
-  where == ACL_WHERE_PREDATA ? US"DATA" :
-  where == ACL_WHERE_DATA ? US"after DATA" :
-#ifndef DISABLE_PRDR
-  where == ACL_WHERE_PRDR ? US"after DATA PRDR" :
-#endif
-  smtp_cmd_data ?
-    string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data) :
-    string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]);
+uschar *what;

 
 if (drop) rc = FAIL;
 
 
 if (drop) rc = FAIL;
 


@@ -3306,19 +3295,45 @@ fixed, sender_address at this point became the rewritten address. I'm not sure
 this is what should be logged, so I've changed to logging the unrewritten
 address to retain backward compatibility. */
 
 this is what should be logged, so I've changed to logging the unrewritten
 address to retain backward compatibility. */
 

-#ifndef WITH_CONTENT_SCAN
-if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
-#else
-if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
+switch (where)
+  {
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:         what = US"during MIME ACL checks";      break;
+#endif
+  case ACL_WHERE_PREDATA:      what = US"DATA";                        break;
+  case ACL_WHERE_DATA:         what = US"after DATA";                  break;
+#ifndef DISABLE_PRDR
+  case ACL_WHERE_PRDR:         what = US"after DATA PRDR";             break;

 #endif
 #endif

+  default:
+    {
+    uschar * place = smtp_cmd_data ? smtp_cmd_data : US"in \"connect\" ACL";
+    int lim = 100;
+
+    if (where == ACL_WHERE_AUTH)       /* avoid logging auth creds */
+      {
+      uschar * s;
+      for (s = smtp_cmd_data; *s && !isspace(*s); ) s++;
+      lim = s - smtp_cmd_data; /* atop after method */
+      }
+    what = string_sprintf("%s %.*s", acl_wherenames[where], lim, place);
+    }
+  }
+switch (where)

   {
   {

-  sender_info = string_sprintf("F=<%s>%s%s%s%s ",
-    sender_address_unrewritten ? sender_address_unrewritten : sender_address,
-    sender_host_authenticated ? US" A="                                    : US"",
-    sender_host_authenticated ? sender_host_authenticated                  : US"",
-    sender_host_authenticated && authenticated_id ? US":"                  : US"",
-    sender_host_authenticated && authenticated_id ? authenticated_id       : US""
-    );
+  case ACL_WHERE_RCPT:
+  case ACL_WHERE_DATA:
+#ifdef WITH_CONTENT_SCAN
+  case ACL_WHERE_MIME:
+#endif
+    sender_info = string_sprintf("F=<%s>%s%s%s%s ",
+      sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+      sender_host_authenticated ? US" A="                                    : US"",
+      sender_host_authenticated ? sender_host_authenticated                  : US"",
+      sender_host_authenticated && authenticated_id ? US":"                  : US"",
+      sender_host_authenticated && authenticated_id ? authenticated_id       : US""
+      );
+  break;

   }
 
 /* If there's been a sender verification failure with a specific message, and
   }
 
 /* If there's been a sender verification failure with a specific message, and


@@ -4035,21 +4050,18 @@ while (done <= 0)
       /* Find the name of the requested authentication mechanism. */
 
       s = smtp_cmd_data;
       /* Find the name of the requested authentication mechanism. */
 
       s = smtp_cmd_data;

-      while ((c = *smtp_cmd_data) != 0 && !isspace(c))
-       {
+      for (; (c = *smtp_cmd_data) && !isspace(c); smtp_cmd_data++)

        if (!isalnum(c) && c != '-' && c != '_')
          {
          done = synprot_error(L_smtp_syntax_error, 501, NULL,
            US"invalid character in authentication mechanism name");
          goto COMMAND_LOOP;
          }
        if (!isalnum(c) && c != '-' && c != '_')
          {
          done = synprot_error(L_smtp_syntax_error, 501, NULL,
            US"invalid character in authentication mechanism name");
          goto COMMAND_LOOP;
          }

-       smtp_cmd_data++;
-       }

 
       /* If not at the end of the line, we must be at white space. Terminate the
       name and move the pointer on to any data that may be present. */
 
 
       /* If not at the end of the line, we must be at white space. Terminate the
       name and move the pointer on to any data that may be present. */
 

-      if (*smtp_cmd_data != 0)
+      if (*smtp_cmd_data)

        {
        *smtp_cmd_data++ = 0;
        while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
        {
        *smtp_cmd_data++ = 0;
        while (isspace(*smtp_cmd_data)) smtp_cmd_data++;

diff --git a/test/log/3450 b/test/log/3450
index 3fcb043eb9c5a7a89000e725ef5e51de2640c7ee..5f2fe4239b5c6b6bb3e1062ba76e4d019dbea251 100644 (file)
--- a/test/log/3450
+++ b/test/log/3450
@@ -1,4 +1,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D

-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH

diff --git a/test/log/3460 b/test/log/3460
index 3fcb043eb9c5a7a89000e725ef5e51de2640c7ee..5f2fe4239b5c6b6bb3e1062ba76e4d019dbea251 100644 (file)
--- a/test/log/3460
+++ b/test/log/3460
@@ -1,4 +1,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D

-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH

diff --git a/test/rejectlog/3450 b/test/rejectlog/3450
index b2fa6d6df2457732da59d8502c7e3c867e0388b8..8800868386a20251d551c3e534739188214f5a51 100644 (file)
--- a/test/rejectlog/3450
+++ b/test/rejectlog/3450
@@ -1,3 +1,3 @@
 
 ******** SERVER ********
 
 ******** SERVER ********

-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH

diff --git a/test/rejectlog/3460 b/test/rejectlog/3460
index b2fa6d6df2457732da59d8502c7e3c867e0388b8..8800868386a20251d551c3e534739188214f5a51 100644 (file)
--- a/test/rejectlog/3460
+++ b/test/rejectlog/3460
@@ -1,3 +1,3 @@
 
 ******** SERVER ********
 
 ******** SERVER ********

-1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain AHVzZXJ4AHNlY3JldA==: STARTTLS required before AUTH
+1999-03-02 09:44:33 H=(foobar) [127.0.0.1] rejected AUTH plain: STARTTLS required before AUTH