From: Jeremy Harris Date: Sun, 14 Jun 2020 21:14:11 +0000 (+0100) Subject: Taint: fix verify. Bug 2598 X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/ecf1e77accda6355ebb745a0a03e97ba7eb298b2?ds=inline Taint: fix verify. Bug 2598 (cherry-picked from 2b60ac1021 and 9eed571fd7) --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 92298e7fc..859e87b00 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -36,6 +36,10 @@ JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for when the limit was exceeded. This eventually crashed the daemon. Fix by adding a relase action in that path. +JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are + expanded; previously using tainted values was rejected. Fix by using + dynamically-created buffers. + Exim version 4.94 ----------------- diff --git a/src/src/acl.c b/src/src/acl.c index 8619cd5ef..11d1fd028 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -1767,7 +1767,7 @@ switch(vp->value) /* Remaining items are optional; they apply to sender and recipient verification, including "header sender" verification. */ -while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) +while ((ss = string_nextinlist(&list, &sep, NULL, 0))) { if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE; else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE; @@ -1804,7 +1804,7 @@ while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))) uschar * opt; while (isspace(*sublist)) sublist++; - while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer)))) + while ((opt = string_nextinlist(&sublist, &optsep, NULL, 0))) { callout_opt_t * op; double period = 1.0F; diff --git a/test/confs/0591 b/test/confs/0591 new file mode 100644 index 000000000..8eaeb0894 --- /dev/null +++ b/test/confs/0591 @@ -0,0 +1,33 @@ +# Exim test configuration 0591 + +.include DIR/aux-var/std_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +domainlist local_domains = test.ex + +acl_smtp_rcpt = check_recipient +queue_only + + +# ----- ACL ----- + +begin acl + +check_recipient: + require verify = sender=OPT + accept + +# ----- Routers ----- + +begin routers + +goodroute: + driver = accept + local_parts = userx + verify_only + + +# End diff --git a/test/scripts/0000-Basic/0087 b/test/scripts/0000-Basic/0087 index c77b69cc4..8e65e8006 100644 --- a/test/scripts/0000-Basic/0087 +++ b/test/scripts/0000-Basic/0087 @@ -1,4 +1,4 @@ -# verify = header_sender +# verify = header_sender & sender exim -bh V4NET.10.10.10 mail from: rcpt to: diff --git a/test/scripts/0000-Basic/0591 b/test/scripts/0000-Basic/0591 new file mode 100644 index 000000000..c7f543d36 --- /dev/null +++ b/test/scripts/0000-Basic/0591 @@ -0,0 +1,29 @@ +# verify = sender=address +# +# pass +exim -DOPT=userx@test.ex -bh 127.0.0.1 +mail from: +rcpt to: +data +From: userx@test.ex +Subject: testing +. +QUIT +**** +# fail +exim -DOPT=fail@test.ex -bh 127.0.0.1 +mail from: +rcpt to: +QUIT +**** +# check can use tainted data +exim -DOPT='$sender_address/defer_ok' -bh 127.0.0.1 +mail from: +rcpt to: +data +From: userx@test.ex +Subject: testing +. +QUIT +**** +no_msglog_check diff --git a/test/stderr/0591 b/test/stderr/0591 new file mode 100644 index 000000000..d3e854e68 --- /dev/null +++ b/test/stderr/0591 @@ -0,0 +1,67 @@ +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_recipient" +>>> processing "require" (TESTSUITE/test-config 20) +>>> check verify = sender=userx@test.ex +>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>>> routing userx@test.ex +>>> userx in "userx"? yes (matched "userx") +>>> calling goodroute router +>>> routed by goodroute router +>>> ----------- end verify ------------ +>>> require: condition test succeeded in ACL "check_recipient" +>>> processing "accept" (TESTSUITE/test-config 21) +>>> accept: condition test succeeded in ACL "check_recipient" +>>> end of ACL "check_recipient": ACCEPT +>>> host in ignore_fromline_hosts? no (option unset) +LOG: 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtp S=sss +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_recipient" +>>> processing "require" (TESTSUITE/test-config 20) +>>> check verify = sender=fail@test.ex +>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>>> routing fail@test.ex +>>> fail in "userx"? no (end of list) +>>> no more routers +>>> ----------- end verify ------------ +>>> require: condition test failed in ACL "check_recipient" +>>> end of ACL "check_recipient": not OK +LOG: H=[127.0.0.1] sender verify fail for : Unrouteable address +LOG: H=[127.0.0.1] F= rejected RCPT : Sender verify failed +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_recipient" +>>> processing "require" (TESTSUITE/test-config 20) +>>> check verify = sender=$sender_address/defer_ok +>>> = sender=userx@test.ex/defer_ok +>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>>> routing userx@test.ex +>>> userx in "userx"? yes (matched "userx") +>>> calling goodroute router +>>> routed by goodroute router +>>> ----------- end verify ------------ +>>> require: condition test succeeded in ACL "check_recipient" +>>> processing "accept" (TESTSUITE/test-config 21) +>>> accept: condition test succeeded in ACL "check_recipient" +>>> end of ACL "check_recipient": ACCEPT +>>> host in ignore_fromline_hosts? no (option unset) +LOG: 10HmaY-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtp S=sss diff --git a/test/stdout/0591 b/test/stdout/0591 new file mode 100644 index 000000000..620e8f89f --- /dev/null +++ b/test/stdout/0591 @@ -0,0 +1,39 @@ + +**** SMTP testing session as if from host 127.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaX-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host 127.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +550-Verification failed for +550-Unrouteable address +550 Sender verify failed +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host 127.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaY-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection