1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* This module contains code for extracting addresses from a forwarding list
9 (from an alias or forward file) or by running the filter interpreter. It may do
10 this in a sub-process if a uid/gid are supplied. */
15 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
17 #define REPLY_EXISTS 0x01
18 #define REPLY_EXPAND 0x02
19 #define REPLY_RETURN 0x04
22 /*************************************************
23 * Check string for filter program *
24 *************************************************/
26 /* This function checks whether a string is actually a filter program. The rule
27 is that it must start with "# Exim filter ..." (any capitalization, spaces
28 optional). It is envisaged that in future, other kinds of filter may be
29 implemented. That's why it is implemented the way it is. The function is global
30 because it is also called from filter.c when checking filters.
34 Returns: FILTER_EXIM if it starts with "# Exim filter"
35 FILTER_SIEVE if it starts with "# Sieve filter"
36 FILTER_FORWARD otherwise
39 /* This is an auxiliary function for matching a tag. */
42 match_tag(const uschar *s, const uschar *tag)
44 for (; *tag != 0; s++, tag++)
47 while (*s == ' ' || *s == '\t') s++;
51 if (tolower(*s) != tolower(*tag)) break;
56 /* This is the real function. It should be easy to add checking different
57 tags for other types of filter. */
60 rda_is_filter(const uschar *s)
62 while (isspace(*s)) s++; /* Skips initial blank lines */
63 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
64 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
65 else return FILTER_FORWARD;
71 /*************************************************
72 * Check for existence of file *
73 *************************************************/
75 /* First of all, we stat the file. If this fails, we try to stat the enclosing
76 directory, because a file in an unmounted NFS directory will look the same as a
77 non-existent file. It seems that in Solaris 2.6, statting an entry in an
78 indirect map that is currently unmounted does not cause the mount to happen.
79 Instead, dummy data is returned, which defeats the whole point of this test.
80 However, if a stat() is done on some object inside the directory, such as the
81 "." back reference to itself, then the mount does occur. If an NFS host is
82 taken offline, it is possible for the stat() to get stuck until it comes back.
83 To guard against this, stick a timer round it. If we can't access the "."
84 inside the directory, try the plain directory, just in case that helps.
87 filename the file name
88 error for message on error
90 Returns: FILE_EXIST the file exists
91 FILE_NOT_EXIST the file does not exist
92 FILE_EXIST_UNCLEAR cannot determine existence
96 rda_exists(uschar *filename, uschar **error)
102 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
105 s = string_copy(filename);
106 sigalrm_seen = FALSE;
108 if (saved_errno == ENOENT)
110 uschar * slash = Ustrrchr(s, '/');
111 Ustrcpy(slash+1, US".");
114 rc = Ustat(s, &statbuf);
115 if (rc != 0 && errno == EACCES && !sigalrm_seen)
118 rc = Ustat(s, &statbuf);
123 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
126 if (sigalrm_seen || rc != 0)
128 *error = string_sprintf("failed to stat %s (%s)", s,
129 sigalrm_seen? "timeout" : strerror(saved_errno));
130 return FILE_EXIST_UNCLEAR;
133 *error = string_sprintf("%s does not exist", filename);
134 DEBUG(D_route) debug_printf("%s\n", *error);
135 return FILE_NOT_EXIST;
140 /*************************************************
141 * Get forwarding list from a file *
142 *************************************************/
144 /* Open a file and read its entire contents into a block of memory. Certain
145 opening errors are optionally treated the same as "file does not exist".
147 ENOTDIR means that something along the line is not a directory: there are
148 installations that set home directories to be /dev/null for non-login accounts
149 but in normal circumstances this indicates some kind of configuration error.
151 EACCES means there's a permissions failure. Some users turn off read permission
152 on a .forward file to suspend forwarding, but this is probably an error in any
153 kind of mailing list processing.
155 The redirect block that contains the file name also contains constraints such
156 as who may own the file, and mode bits that must not be set. This function is
159 rdata rdirect block, containing file name and constraints
160 options for the RDO_ENOTDIR and RDO_EACCES options
161 error where to put an error message
162 yield what to return from rda_interpret on error
164 Returns: pointer to string in store; NULL on error
168 rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
173 uschar *filename = rdata->string;
174 BOOL uid_ok = !rdata->check_owner;
175 BOOL gid_ok = !rdata->check_group;
178 /* Attempt to open the file. If it appears not to exist, check up on the
179 containing directory by statting it. If the directory does not exist, we treat
180 this situation as an error (which will cause delivery to defer); otherwise we
181 pass back FF_NONEXIST, which causes the redirect router to decline.
183 However, if the ignore_enotdir option is set (to ignore "something on the
184 path is not a directory" errors), the right behaviour seems to be not to do the
187 fwd = Ufopen(filename, "rb");
192 case ENOENT: /* File does not exist */
193 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
195 ((options & RDO_ENOTDIR) != 0)? "ignore_enotdir set => skip " : "");
196 *yield = (((options & RDO_ENOTDIR) != 0) ||
197 rda_exists(filename, error) == FILE_NOT_EXIST)?
198 FF_NONEXIST : FF_ERROR;
201 case ENOTDIR: /* Something on the path isn't a directory */
202 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
203 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
204 "exist\n", filename);
205 *yield = FF_NONEXIST;
208 case EACCES: /* Permission denied */
209 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
210 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
211 "exist\n", filename);
212 *yield = FF_NONEXIST;
217 *error = string_open_failed(errno, "%s", filename);
223 /* Check that we have a regular file. */
225 if (fstat(fileno(fwd), &statbuf) != 0)
227 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
231 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
233 *error = string_sprintf("%s is not a regular file", filename);
237 /* Check for unwanted mode bits */
239 if ((statbuf.st_mode & rdata->modemask) != 0)
241 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
242 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
246 /* Check the file owner and file group if required to do so. */
250 if (rdata->pw != NULL && statbuf.st_uid == rdata->pw->pw_uid)
252 else if (rdata->owners != NULL)
253 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
254 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
259 if (rdata->pw != NULL && statbuf.st_gid == rdata->pw->pw_gid)
261 else if (rdata->owngroups != NULL)
262 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
263 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
266 if (!uid_ok || !gid_ok)
268 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
272 /* Put an upper limit on the size of the file, just to stop silly people
273 feeding in ridiculously large files, which can easily be created by making
274 files that have holes in them. */
276 if (statbuf.st_size > MAX_FILTER_SIZE)
278 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
282 /* Read the file in one go in order to minimize the time we have it open. */
284 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
286 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
288 *error = string_sprintf("error while reading %s: %s",
289 filename, strerror(errno));
292 filebuf[statbuf.st_size] = 0;
295 debug_printf(OFF_T_FMT " bytes read from %s\n", statbuf.st_size, filename);
300 /* Return an error: the string is already set up. */
310 /*************************************************
311 * Extract info from list or filter *
312 *************************************************/
314 /* This function calls the appropriate function to extract addresses from a
315 forwarding list, or to run a filter file and get addresses from there.
318 rdata the redirection block
319 options the options bits
320 include_directory restrain to this directory
321 sieve_vacation_directory passed to sieve_interpret
322 sieve_enotify_mailto_owner passed to sieve_interpret
323 sieve_useraddress passed to sieve_interpret
324 sieve_subaddress passed to sieve_interpret
325 generated where to hang generated addresses
326 error for error messages
327 eblockp for details of skipped syntax errors
329 filtertype set to the filter type:
330 FILTER_FORWARD => a traditional .forward file
331 FILTER_EXIM => an Exim filter file
332 FILTER_SIEVE => a Sieve filter file
333 a system filter is always forced to be FILTER_EXIM
335 Returns: a suitable return for rda_interpret()
339 rda_extract(redirect_block *rdata, int options, uschar *include_directory,
340 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
341 uschar *sieve_useraddress, uschar *sieve_subaddress,
342 address_item **generated, uschar **error, error_block **eblockp,
350 data = rda_get_file_contents(rdata, options, error, &yield);
351 if (data == NULL) return yield;
353 else data = rdata->string;
355 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
357 /* Filter interpretation is done by a general function that is also called from
358 the filter testing option (-bf). There are two versions: one for Exim filtering
359 and one for Sieve filtering. Several features of string expansion may be locked
360 out at sites that don't trust users. This is done by setting flags in
361 expand_forbid that the expander inspects. */
363 if (*filtertype != FILTER_FORWARD)
366 int old_expand_forbid = expand_forbid;
368 DEBUG(D_route) debug_printf("data is %s filter program\n",
369 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
371 /* RDO_FILTER is an "allow" bit */
373 if ((options & RDO_FILTER) == 0)
375 *error = US"filtering not enabled";
380 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
382 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
384 if (*filtertype == FILTER_EXIM)
386 if ((options & RDO_EXIM_FILTER) != 0)
388 *error = US"Exim filtering not enabled";
391 frc = filter_interpret(data, options, generated, error);
395 if ((options & RDO_SIEVE_FILTER) != 0)
397 *error = US"Sieve filtering not enabled";
400 frc = sieve_interpret(data, options, sieve_vacation_directory,
401 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
405 expand_forbid = old_expand_forbid;
409 /* Not a filter script */
411 DEBUG(D_route) debug_printf("file is not a filter file\n");
413 return parse_forward_list(data,
414 options, /* specials that are allowed */
415 generated, /* where to hang them */
416 error, /* for errors */
417 deliver_domain, /* to qualify \name */
418 include_directory, /* restrain to directory */
419 eblockp); /* for skipped syntax errors */
425 /*************************************************
426 * Write string down pipe *
427 *************************************************/
429 /* This function is used for transferring a string down a pipe between
430 processes. If the pointer is NULL, a length of zero is written.
436 Returns: -1 on error, else 0
440 rda_write_string(int fd, const uschar *s)
442 int len = s ? Ustrlen(s) + 1 : 0;
443 return ( os_pipe_write(fd, &len, sizeof(int)) != sizeof(int)
444 || s && write(fd, s, len) != len
451 /*************************************************
452 * Read string from pipe *
453 *************************************************/
455 /* This function is used for receiving a string from a pipe.
459 sp where to put the string
461 Returns: FALSE if data missing
465 rda_read_string(int fd, uschar **sp)
469 if (os_pipe_read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
473 /* We know we have enough memory so disable the error on "len" */
474 /* coverity[tainted_data] */
475 /* We trust the data source, so untainted */
476 if (os_pipe_read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
482 /*************************************************
483 * Interpret forward list or filter *
484 *************************************************/
486 /* This function is passed a forward list string (unexpanded) or the name of a
487 file (unexpanded) whose contents are the forwarding list. The list may in fact
488 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
489 types of filter, with different initial tag strings, may be introduced in due
492 The job of the function is to process the forwarding list or filter. It is
493 pulled out into this separate function, because it is used for system filter
494 files as well as from the redirect router.
496 If the function is given a uid/gid, it runs a subprocess that passes the
497 results back via a pipe. This provides security for things like :include:s in
498 users' .forward files, and "logwrite" calls in users' filter files. A
499 sub-process is NOT used when:
501 . No uid/gid is provided
502 . The input is a string which is not a filter string, and does not contain
504 . The input is a file whose non-existence can be detected in the main
505 process (which is usually running as root).
508 rdata redirect data (file + constraints, or data string)
509 options options to pass to the extraction functions,
510 plus ENOTDIR and EACCES handling bits
511 include_directory restrain :include: to this directory
512 sieve_vacation_directory directory passed to sieve_interpret
513 sieve_enotify_mailto_owner passed to sieve_interpret
514 sieve_useraddress passed to sieve_interpret
515 sieve_subaddress passed to sieve_interpret
516 ugid uid/gid to run under - if NULL, no change
517 generated where to hang generated addresses, initially NULL
518 error pointer for error message
519 eblockp for skipped syntax errors; NULL if no skipping
520 filtertype set to the type of file:
521 FILTER_FORWARD => traditional .forward file
522 FILTER_EXIM => an Exim filter file
523 FILTER_SIEVE => a Sieve filter file
524 a system filter is always forced to be FILTER_EXIM
525 rname router name for error messages in the format
526 "xxx router" or "system filter"
528 Returns: values from extraction function, or FF_NONEXIST:
529 FF_DELIVERED success, a significant action was taken
530 FF_NOTDELIVERED success, no significant action
531 FF_BLACKHOLE :blackhole:
532 FF_DEFER defer requested
533 FF_FAIL fail requested
534 FF_INCLUDEFAIL some problem with :include:
535 FF_FREEZE freeze requested
536 FF_ERROR there was a problem
537 FF_NONEXIST the file does not exist
541 rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
542 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
543 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
544 address_item **generated, uschar **error, error_block **eblockp,
545 int *filtertype, uschar *rname)
549 BOOL had_disaster = FALSE;
552 uschar *readerror = US"";
553 void (*oldsignal)(int);
555 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
556 rdata->isfile ? "file" : "string", string_printing(rdata->string));
558 /* Do the expansions of the file name or data first, while still privileged. */
560 if (!(data = expand_string(rdata->string)))
562 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
563 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
564 expand_string_message);
567 rdata->string = data;
569 DEBUG(D_route) debug_printf("expanded: '%s'\n", data);
571 if (rdata->isfile && data[0] != '/')
573 *error = string_sprintf("\"%s\" is not an absolute path", data);
577 /* If no uid/gid are supplied, or if we have a data string which does not start
578 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
579 work in this process. Note that for a system filter, we always have a file, so
580 the work is done in this process only if no user is supplied. */
582 if (!ugid->uid_set || /* Either there's no uid, or */
583 (!rdata->isfile && /* We've got the data, and */
584 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
585 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
587 return rda_extract(rdata, options, include_directory,
588 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
589 sieve_subaddress, generated, error, eblockp, filtertype);
592 /* We need to run the processing code in a sub-process. However, if we can
593 determine the non-existence of a file first, we can decline without having to
594 create the sub-process. */
596 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
599 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
600 we have to create the subprocess to do everything as the given user. The
601 results of processing are passed back via a pipe. */
604 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
605 ":include: failed for %s: %s", rname, strerror(errno));
607 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
608 process can be waited for. We sometimes get here with it set otherwise. Save
609 the old state for resetting on the wait. Ensure that all cached resources are
610 freed so that the subprocess starts with a clean slate and doesn't interfere
611 with the parent process. */
613 oldsignal = signal(SIGCHLD, SIG_DFL);
616 if ((pid = fork()) == 0)
618 header_line *waslast = header_last; /* Save last header */
620 fd = pfd[pipe_write];
621 (void)close(pfd[pipe_read]);
622 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
624 /* Addresses can get rewritten in filters; if we are not root or the exim
625 user (and we probably are not), turn off rewrite logging, because we cannot
626 write to the log now. */
628 if (ugid->uid != root_uid && ugid->uid != exim_uid)
630 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
631 "root or exim in this process)\n");
632 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
635 /* Now do the business */
637 yield = rda_extract(rdata, options, include_directory,
638 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
639 sieve_subaddress, generated, error, eblockp, filtertype);
641 /* Pass back whether it was a filter, and the return code and any overall
642 error text via the pipe. */
644 if ( os_pipe_write(fd, filtertype, sizeof(int)) != sizeof(int)
645 || os_pipe_write(fd, &yield, sizeof(int)) != sizeof(int)
646 || rda_write_string(fd, *error) != 0
650 /* Pass back the contents of any syntax error blocks if we have a pointer */
654 for (error_block * ep = *eblockp; ep; ep = ep->next)
655 if ( rda_write_string(fd, ep->text1) != 0
656 || rda_write_string(fd, ep->text2) != 0
659 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
663 /* If this is a system filter, we have to pass back the numbers of any
664 original header lines that were removed, and then any header lines that were
665 added but not subsequently removed. */
667 if (f.system_filtering)
670 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
671 if ( h->type == htype_old
672 && os_pipe_write(fd, &i, sizeof(i)) != sizeof(i)
677 if (os_pipe_write(fd, &i, sizeof(i)) != sizeof(i))
680 while (waslast != header_last)
682 waslast = waslast->next;
683 if (waslast->type != htype_old)
684 if ( rda_write_string(fd, waslast->text) != 0
685 || os_pipe_write(fd, &(waslast->type), sizeof(waslast->type))
686 != sizeof(waslast->type)
690 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
694 /* Write the contents of the $n variables */
696 if (os_pipe_write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
699 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
700 addresses, and their associated information, through the pipe. This is
701 just tedious, but it seems to be the only safe way. We do this also for
702 FAIL and FREEZE, because a filter is allowed to set up deliveries that
703 are honoured before freezing or failing. */
705 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
706 yield == FF_FAIL || yield == FF_FREEZE)
708 for (address_item * addr = *generated; addr; addr = addr->next)
710 int reply_options = 0;
711 int ig_err = addr->prop.ignore_error ? 1 : 0;
713 if ( rda_write_string(fd, addr->address) != 0
714 || os_pipe_write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
715 || os_pipe_write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
716 || rda_write_string(fd, addr->prop.errors_address) != 0
717 || os_pipe_write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
721 if (addr->pipe_expandn)
722 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
723 if (rda_write_string(fd, *pp) != 0)
725 if (rda_write_string(fd, NULL) != 0)
730 if (os_pipe_write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
735 reply_options |= REPLY_EXISTS;
736 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
737 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
738 if ( os_pipe_write(fd, &reply_options, sizeof(int)) != sizeof(int)
739 || os_pipe_write(fd, &(addr->reply->expand_forbid), sizeof(int))
741 || os_pipe_write(fd, &(addr->reply->once_repeat), sizeof(time_t))
743 || rda_write_string(fd, addr->reply->to) != 0
744 || rda_write_string(fd, addr->reply->cc) != 0
745 || rda_write_string(fd, addr->reply->bcc) != 0
746 || rda_write_string(fd, addr->reply->from) != 0
747 || rda_write_string(fd, addr->reply->reply_to) != 0
748 || rda_write_string(fd, addr->reply->subject) != 0
749 || rda_write_string(fd, addr->reply->headers) != 0
750 || rda_write_string(fd, addr->reply->text) != 0
751 || rda_write_string(fd, addr->reply->file) != 0
752 || rda_write_string(fd, addr->reply->logfile) != 0
753 || rda_write_string(fd, addr->reply->oncelog) != 0
759 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
763 /* OK, this process is now done. Free any cached resources. Must use _exit()
769 exim_underbar_exit(0);
772 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
776 /* Back in the main process: panic if the fork did not succeed. */
779 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
781 /* Read the pipe to get the data from the filter/forward. Our copy of the
782 writing end must be closed first, as otherwise read() won't return zero on an
783 empty pipe. Afterwards, close the reading end. */
785 (void)close(pfd[pipe_write]);
787 /* Read initial data, including yield and contents of *error */
790 if (os_pipe_read(fd, filtertype, sizeof(int)) != sizeof(int) ||
791 os_pipe_read(fd, &yield, sizeof(int)) != sizeof(int) ||
792 !rda_read_string(fd, error)) goto DISASTER;
794 /* Read the contents of any syntax error blocks if we have a pointer */
799 for (error_block ** p = eblockp; ; p = &e->next)
802 if (!rda_read_string(fd, &s)) goto DISASTER;
804 e = store_get(sizeof(error_block), FALSE);
807 if (!rda_read_string(fd, &s)) goto DISASTER;
813 /* If this is a system filter, read the identify of any original header lines
814 that were removed, and then read data for any new ones that were added. */
816 if (f.system_filtering)
819 header_line *h = header_list;
824 if (os_pipe_read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
829 if (!(h = h->next)) goto DISASTER_NO_HEADER;
838 if (!rda_read_string(fd, &s)) goto DISASTER;
840 if (os_pipe_read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
841 header_add(type, "%s", s);
845 /* Read the values of the $n variables */
847 if (os_pipe_read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
849 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
850 addresses and data to go with them. Keep them in the same order in the
853 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
854 yield == FF_FAIL || yield == FF_FREEZE)
856 address_item **nextp = generated;
860 int i, reply_options;
863 uschar *expandn[EXPAND_MAXN + 2];
865 /* First string is the address; NULL => end of addresses */
867 if (!rda_read_string(fd, &recipient)) goto DISASTER;
868 if (!recipient) break;
870 /* Hang on the end of the chain */
872 addr = deliver_make_addr(recipient, FALSE);
874 nextp = &(addr->next);
876 /* Next comes the mode and the flags fields */
878 if ( os_pipe_read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
879 || os_pipe_read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
880 || !rda_read_string(fd, &addr->prop.errors_address)
881 || os_pipe_read(fd, &i, sizeof(i)) != sizeof(i)
884 addr->prop.ignore_error = (i != 0);
886 /* Next comes a possible setting for $thisaddress and any numerical
887 variables for pipe expansion, terminated by a NULL string. The maximum
888 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
889 into the zeroth item in the vector - this is sorted out inside the pipe
892 for (i = 0; i < EXPAND_MAXN + 1; i++)
895 if (!rda_read_string(fd, &temp)) goto DISASTER;
896 if (i == 0) filter_thisaddress = temp; /* Just in case */
898 if (temp == NULL) break;
903 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
904 addr->pipe_expandn[i] = NULL;
905 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
908 /* Then an int containing reply options; zero => no reply data. */
910 if (os_pipe_read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
911 if ((reply_options & REPLY_EXISTS) != 0)
913 addr->reply = store_get(sizeof(reply_item), FALSE);
915 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
916 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
918 if (os_pipe_read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
920 os_pipe_read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
922 !rda_read_string(fd, &(addr->reply->to)) ||
923 !rda_read_string(fd, &(addr->reply->cc)) ||
924 !rda_read_string(fd, &(addr->reply->bcc)) ||
925 !rda_read_string(fd, &(addr->reply->from)) ||
926 !rda_read_string(fd, &(addr->reply->reply_to)) ||
927 !rda_read_string(fd, &(addr->reply->subject)) ||
928 !rda_read_string(fd, &(addr->reply->headers)) ||
929 !rda_read_string(fd, &(addr->reply->text)) ||
930 !rda_read_string(fd, &(addr->reply->file)) ||
931 !rda_read_string(fd, &(addr->reply->logfile)) ||
932 !rda_read_string(fd, &(addr->reply->oncelog)))
938 /* All data has been transferred from the sub-process. Reap it, close the
939 reading end of the pipe, and we are done. */
942 while ((rc = wait(&status)) != pid)
944 if (rc < 0 && errno == ECHILD) /* Process has vanished */
946 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
952 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
956 *error = string_sprintf("internal problem in %s: failure to transfer "
957 "data from subprocess: status=%04x%s%s%s", rname,
959 (*error == NULL)? US"" : US": error=",
960 (*error == NULL)? US"" : *error);
961 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
963 else if (status != 0)
965 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
966 "%04x from redirect subprocess (but data correctly received)", rname,
972 signal(SIGCHLD, oldsignal); /* restore */
976 /* Come here if the data indicates removal of a header that we can't find */
979 readerror = US" readerror=bad header identifier";
984 /* Come here is there's a shambles in transferring the data over the pipe. The
985 value of errno should still be set. */
988 readerror = string_sprintf(" readerror='%s'", strerror(errno));