From: Jeremy Harris Date: Fri, 8 Nov 2019 22:30:04 +0000 (+0000) Subject: Regard command-line recipients as tainted X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/f0fe22cbc29ee4f887aa254f2590a9e72401e237 Regard command-line recipients as tainted --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f9e39d2dc..f10e45cee 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -22,6 +22,8 @@ JH/04 Support CHUNKING from an smtp transport using a transport_filter, when DKIM signing is being done. Previously a transport_filter would always disable CHUNKING, falling back to traditional DATA. +JH/05 Regard command-line receipients as tainted. + Exim version 4.93 ----------------- diff --git a/src/src/exim.c b/src/src/exim.c index d6952ef2e..a30e35bca 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -4809,8 +4809,9 @@ if (verify_address_mode || f.address_test_mode) { while (recipients_arg < argc) { - uschar *s = argv[recipients_arg++]; - while (*s != 0) + /* Supplied addresses are tainted since they come from a user */ + uschar * s = string_copy_taint(argv[recipients_arg++], TRUE); + while (*s) { BOOL finished = FALSE; uschar *ss = parse_find_address_end(s, FALSE); @@ -4818,16 +4819,16 @@ if (verify_address_mode || f.address_test_mode) test_address(s, flags, &exit_value); s = ss; if (!finished) - while (*(++s) != 0 && (*s == ',' || isspace(*s))); + while (*++s == ',' || isspace(*s)) ; } } } else for (;;) { - uschar *s = get_stdinput(NULL, NULL); - if (s == NULL) break; - test_address(s, flags, &exit_value); + uschar * s = get_stdinput(NULL, NULL); + if (!s) break; + test_address(string_copy_taint(s, TRUE), flags, &exit_value); } route_tidyup(); @@ -5321,13 +5322,13 @@ while (more) raw_sender = string_copy(sender_address); - /* Loop for each argument */ + /* Loop for each argument (supplied by user hence tainted) */ for (int i = 0; i < count; i++) { int start, end, domain; - uschar *errmess; - uschar *s = list[i]; + uschar * errmess; + uschar * s = string_copy_taint(list[i], TRUE); /* Loop for each comma-separated address */