Dsearch: Fix taint-handling in lookup. Bug 2465

(cherry picked from commit 13e70f5530fc3fd376e1397c76e073a339e738aa)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f10e45ceefb5d844d340392e22ca4fd21576630c..e9a614c0a437c60332b0f05dcdf085227b42d68d 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -212,6 +212,10 @@ JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
       function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
       3.6.0, DH parameters are negotiated following RFC7919."
 
       function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
       3.6.0, DH parameters are negotiated following RFC7919."
 

+JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
+      buffer was used for the filename, resulting in a trap when tainted
+      arguments (eg. $domain) were used.
+

 
 Exim version 4.92
 -----------------
 
 Exim version 4.92
 -----------------

diff --git a/src/src/lookups/dsearch.c b/src/src/lookups/dsearch.c
index 9f7dd8da0c0319050bfb8586a7eaf0e099d25207..c27f5d6e65203f9d01d984012ab3566c067bb997 100644 (file)
--- a/src/src/lookups/dsearch.c
+++ b/src/src/lookups/dsearch.c
@@ -65,13 +65,13 @@ return lf_check_file(-1, filename, S_IFDIR, modemask, owners, owngroups,
 scanning the directory, as it is hopefully faster to let the OS do the scanning
 for us. */
 
 scanning the directory, as it is hopefully faster to let the OS do the scanning
 for us. */
 

-int
-static dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,
+static int
+dsearch_find(void *handle, uschar *dirname, const uschar *keystring, int length,

   uschar **result, uschar **errmsg, uint *do_cache)
 {
 struct stat statbuf;
 int save_errno;
   uschar **result, uschar **errmsg, uint *do_cache)
 {
 struct stat statbuf;
 int save_errno;

-uschar filename[PATH_MAX];
+uschar * filename;

 
 handle = handle;  /* Keep picky compilers happy */
 length = length;
 
 handle = handle;  /* Keep picky compilers happy */
 length = length;


@@ -84,12 +84,7 @@ if (Ustrchr(keystring, '/') != 0)
   return DEFER;
   }
 
   return DEFER;
   }
 

-if (!string_format(filename, sizeof(filename), "%s/%s", dirname, keystring))
-  {
-  *errmsg = US"path name too long";
-  return DEFER;
-  }
-
+filename = string_sprintf("%s/%s", dirname, keystring);

 if (Ulstat(filename, &statbuf) >= 0)
   {
   *result = string_copy(keystring);
 if (Ulstat(filename, &statbuf) >= 0)
   {
   *result = string_copy(keystring);

diff --git a/src/src/string.c b/src/src/string.c
index ced1ad8c78bfe71236b67242708ab82619fd799c..007ec877ef5d1c491527e210ab2b8e778ab283ba 100644 (file)
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -664,7 +664,7 @@ return yield;
 *************************************************/
 
 /* The formatting is done by string_vformat, which checks the length of
 *************************************************/
 
 /* The formatting is done by string_vformat, which checks the length of

-everything.
+everything.  Taint is taken from the worst of the arguments.

 
 Arguments:
   format    a printf() format - deliberately char * rather than uschar *
 
 Arguments:
   format    a printf() format - deliberately char * rather than uschar *