From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 29 Aug 2020 19:26:14 +0000 (+0100)
Subject: de-taint any passing belowhome
X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/539410bc9241afc004e89d3d35b32af1df46c195

de-taint any passing belowhome
---

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4a22b2e5f..e938703ee 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23025,7 +23025,11 @@ The option must be set to one of the words &"anywhere"&, &"inhome"&, or
 .wen
 
 In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit filename is
+set for the transport, and the file or directory being created must
+reside within it.
+The "belowhome" checking additionally checks for attempts to use "../"
+to evade the testing.
+This option is not useful when an explicit filename is
 given for normal mailbox deliveries. It is intended for the case when filenames
 are generated from users' &_.forward_& files. These are usually handled
 by an &(appendfile)& transport called &%address_file%&. See also
@@ -23035,12 +23039,12 @@ by an &(appendfile)& transport called &%address_file%&. See also
 In the fourth case,
 the value given for this option must be an absolute path for an
 existing directory.
-The expansion of either the &%directory%& or &%file%&
-option is checked for being a strict (possibly potential) descendant,
-in the filesystem, of the value given.
+The value is used for checking instead of a home directory;
+checking is done in "belowhome" mode.
+
 .cindex "tainted data" "de-tainting"
-If the check passes then the path checked becomes de-tainted.
-If the check fails then the transport returns failure.
+If "belowhome" checking is used, the file or directory path
+becomes de-tainted.
 .wen
 
 
diff --git a/src/src/transports/appendfile.c b/src/src/transports/appendfile.c
index 908fd8ad9..95857a53e 100644
--- a/src/src/transports/appendfile.c
+++ b/src/src/transports/appendfile.c
@@ -1337,7 +1337,7 @@ if (!isdirectory)
 /*XXX could we just de-taint on belowhome? */
 
   if (  (allow_creation_here = check_creation(path, ob->create_file))
-     && *ob->create_file_string == '/')
+     && ob->create_file == create_belowhome)
     if (is_tainted(path))
       {
       DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
@@ -2177,7 +2177,7 @@ else
   it, de-taint. Otherwise check for taint. */
 
   if (is_tainted(path))
-    if (*ob->create_file_string = '/')
+    if (ob->create_file == create_belowhome)
       {
       DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
       path = string_copy_taint(path, FALSE);