projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
appendfile: taint-enforce file & directory options
[exim.git] / src / src / rda.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module contains code for extracting addresses from a forwarding list
9(from an alias or forward file) or by running the filter interpreter. It may do
10this in a sub-process if a uid/gid are supplied. */
11
12
13#include "exim.h"
14
15enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
16
17#define REPLY_EXISTS 0x01
18#define REPLY_EXPAND 0x02
19#define REPLY_RETURN 0x04
20
21
22/*************************************************
23* Check string for filter program *
24*************************************************/
25
26/* This function checks whether a string is actually a filter program. The rule
27is that it must start with "# Exim filter ..." (any capitalization, spaces
28optional). It is envisaged that in future, other kinds of filter may be
29implemented. That's why it is implemented the way it is. The function is global
30because it is also called from filter.c when checking filters.
31
32Argument: the string
33
34Returns: FILTER_EXIM if it starts with "# Exim filter"
35 FILTER_SIEVE if it starts with "# Sieve filter"
36 FILTER_FORWARD otherwise
37*/
38
39/* This is an auxiliary function for matching a tag. */
40
41static BOOL
42match_tag(const uschar *s, const uschar *tag)
43{
44for (; *tag != 0; s++, tag++)
059ec3d9
PH		 45 if (*tag == ' ')
46 {
47 while (*s == ' ' || *s == '\t') s++;
48 s--;
49 }
d7978c0f
JH		 50 else
51 if (tolower(*s) != tolower(*tag)) break;
52
059ec3d9
PH		 53return (*tag == 0);
54}
55
56/* This is the real function. It should be easy to add checking different
57tags for other types of filter. */
58
59int
60rda_is_filter(const uschar *s)
61{
62while (isspace(*s)) s++; /* Skips initial blank lines */
63if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
64 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
65 else return FILTER_FORWARD;
66}
67
68
69
70
71/*************************************************
72* Check for existence of file *
73*************************************************/
74
75/* First of all, we stat the file. If this fails, we try to stat the enclosing
76directory, because a file in an unmounted NFS directory will look the same as a
77non-existent file. It seems that in Solaris 2.6, statting an entry in an
78indirect map that is currently unmounted does not cause the mount to happen.
79Instead, dummy data is returned, which defeats the whole point of this test.
80However, if a stat() is done on some object inside the directory, such as the
81"." back reference to itself, then the mount does occur. If an NFS host is
82taken offline, it is possible for the stat() to get stuck until it comes back.
83To guard against this, stick a timer round it. If we can't access the "."
84inside the directory, try the plain directory, just in case that helps.
85
86Argument:
87 filename the file name
88 error for message on error
89
90Returns: FILE_EXIST the file exists
91 FILE_NOT_EXIST the file does not exist
92 FILE_EXIST_UNCLEAR cannot determine existence
93*/
94
95static int
96rda_exists(uschar *filename, uschar **error)
97{
98int rc, saved_errno;
059ec3d9 99struct stat statbuf;
f3ebb786 100uschar * s;
059ec3d9
PH		 101
102if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
103saved_errno = errno;
104
f3ebb786 105s = string_copy(filename);
059ec3d9
PH		 106sigalrm_seen = FALSE;
107
108if (saved_errno == ENOENT)
109 {
f3ebb786
JH		 110 uschar * slash = Ustrrchr(s, '/');
111 Ustrcpy(slash+1, US".");
059ec3d9 112
c2a1bba0 113 ALARM(30);
f3ebb786 114 rc = Ustat(s, &statbuf);
059ec3d9
PH		 115 if (rc != 0 && errno == EACCES && !sigalrm_seen)
116 {
117 *slash = 0;
f3ebb786 118 rc = Ustat(s, &statbuf);
059ec3d9
PH		 119 }
120 saved_errno = errno;
c2a1bba0 121 ALARM_CLR(0);
059ec3d9 122
f3ebb786 123 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
059ec3d9
PH		 124 }
125
126if (sigalrm_seen || rc != 0)
127 {
f3ebb786
JH		 128 *error = string_sprintf("failed to stat %s (%s)", s,
129 sigalrm_seen? "timeout" : strerror(saved_errno));
059ec3d9
PH		 130 return FILE_EXIST_UNCLEAR;
131 }
132
133*error = string_sprintf("%s does not exist", filename);
134DEBUG(D_route) debug_printf("%s\n", *error);
135return FILE_NOT_EXIST;
136}
137
138
139
140/*************************************************
141* Get forwarding list from a file *
142*************************************************/
143
144/* Open a file and read its entire contents into a block of memory. Certain
145opening errors are optionally treated the same as "file does not exist".
146
147ENOTDIR means that something along the line is not a directory: there are
148installations that set home directories to be /dev/null for non-login accounts
149but in normal circumstances this indicates some kind of configuration error.
150
151EACCES means there's a permissions failure. Some users turn off read permission
152on a .forward file to suspend forwarding, but this is probably an error in any
153kind of mailing list processing.
154
155The redirect block that contains the file name also contains constraints such
156as who may own the file, and mode bits that must not be set. This function is
157
158Arguments:
159 rdata rdirect block, containing file name and constraints
160 options for the RDO_ENOTDIR and RDO_EACCES options
161 error where to put an error message
162 yield what to return from rda_interpret on error
163
164Returns: pointer to string in store; NULL on error
165*/
166
167static uschar *
168rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
169 int *yield)
170{
171FILE *fwd;
172uschar *filebuf;
173uschar *filename = rdata->string;
174BOOL uid_ok = !rdata->check_owner;
175BOOL gid_ok = !rdata->check_group;
176struct stat statbuf;
177
178/* Attempt to open the file. If it appears not to exist, check up on the
179containing directory by statting it. If the directory does not exist, we treat
180this situation as an error (which will cause delivery to defer); otherwise we
181pass back FF_NONEXIST, which causes the redirect router to decline.
182
183However, if the ignore_enotdir option is set (to ignore "something on the
184path is not a directory" errors), the right behaviour seems to be not to do the
185directory test. */
186
f5bf7636 187if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
059ec3d9 188 {
f5bf7636 189 case ENOENT: /* File does not exist */
059ec3d9 190 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
f5bf7636
JH		 191 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
192 *yield =
193 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
194 ? FF_NONEXIST : FF_ERROR;
059ec3d9
PH		 195 return NULL;
196
f5bf7636 197 case ENOTDIR: /* Something on the path isn't a directory */
059ec3d9
PH		 198 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
199 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
200 "exist\n", filename);
201 *yield = FF_NONEXIST;
202 return NULL;
203
f5bf7636 204 case EACCES: /* Permission denied */
059ec3d9
PH		 205 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
206 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
207 "exist\n", filename);
208 *yield = FF_NONEXIST;
209 return NULL;
210
f5bf7636
JH		 211 DEFAULT_ERROR:
212 default:
059ec3d9
PH		 213 *error = string_open_failed(errno, "%s", filename);
214 *yield = FF_ERROR;
215 return NULL;
059ec3d9
PH		 216 }
217
218/* Check that we have a regular file. */
219
220if (fstat(fileno(fwd), &statbuf) != 0)
221 {
222 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
223 goto ERROR_RETURN;
224 }
225
226if ((statbuf.st_mode & S_IFMT) != S_IFREG)
227 {
228 *error = string_sprintf("%s is not a regular file", filename);
229 goto ERROR_RETURN;
230 }
231
232/* Check for unwanted mode bits */
233
234if ((statbuf.st_mode & rdata->modemask) != 0)
235 {
236 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
237 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
238 goto ERROR_RETURN;
239 }
240
241/* Check the file owner and file group if required to do so. */
242
243if (!uid_ok)
f5bf7636 244 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
059ec3d9 245 uid_ok = TRUE;
f5bf7636 246 else if (rdata->owners)
d7978c0f 247 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
059ec3d9 248 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
059ec3d9
PH		 249
250if (!gid_ok)
f5bf7636 251 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
059ec3d9 252 gid_ok = TRUE;
f5bf7636 253 else if (rdata->owngroups)
d7978c0f 254 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
059ec3d9 255 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
059ec3d9
PH		 256
257if (!uid_ok || !gid_ok)
258 {
259 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
260 goto ERROR_RETURN;
261 }
262
263/* Put an upper limit on the size of the file, just to stop silly people
264feeding in ridiculously large files, which can easily be created by making
265files that have holes in them. */
266
267if (statbuf.st_size > MAX_FILTER_SIZE)
268 {
269 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
270 goto ERROR_RETURN;
271 }
272
273/* Read the file in one go in order to minimize the time we have it open. */
274
f3ebb786 275filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
059ec3d9
PH		 276
277if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
278 {
279 *error = string_sprintf("error while reading %s: %s",
280 filename, strerror(errno));
281 goto ERROR_RETURN;
282 }
283filebuf[statbuf.st_size] = 0;
284
f5bf7636
JH		 285DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
286 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
059ec3d9 287
f1e894f3 288(void)fclose(fwd);
059ec3d9
PH		 289return filebuf;
290
291/* Return an error: the string is already set up. */
292
293ERROR_RETURN:
294*yield = FF_ERROR;
f1e894f3 295(void)fclose(fwd);
059ec3d9
PH		 296return NULL;
297}
298
299
300
301/*************************************************
302* Extract info from list or filter *
303*************************************************/
304
305/* This function calls the appropriate function to extract addresses from a
306forwarding list, or to run a filter file and get addresses from there.
307
308Arguments:
309 rdata the redirection block
310 options the options bits
311 include_directory restrain to this directory
312 sieve_vacation_directory passed to sieve_interpret
efd9a422 313 sieve_enotify_mailto_owner passed to sieve_interpret
e4a89c47
PH		 314 sieve_useraddress passed to sieve_interpret
315 sieve_subaddress passed to sieve_interpret
059ec3d9
PH		 316 generated where to hang generated addresses
317 error for error messages
318 eblockp for details of skipped syntax errors
319 (NULL => no skip)
320 filtertype set to the filter type:
321 FILTER_FORWARD => a traditional .forward file
322 FILTER_EXIM => an Exim filter file
323 FILTER_SIEVE => a Sieve filter file
324 a system filter is always forced to be FILTER_EXIM
325
326Returns: a suitable return for rda_interpret()
327*/
328
329static int
330rda_extract(redirect_block *rdata, int options, uschar *include_directory,
efd9a422
MH		 331 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
332 uschar *sieve_useraddress, uschar *sieve_subaddress,
333 address_item **generated, uschar **error, error_block **eblockp,
334 int *filtertype)
059ec3d9
PH		 335{
336uschar *data;
337
338if (rdata->isfile)
339 {
91ecef39 340 int yield = 0;
f5bf7636
JH		 341 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
342 return yield;
059ec3d9
PH		 343 }
344else data = rdata->string;
345
8768d548 346*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
059ec3d9
PH		 347
348/* Filter interpretation is done by a general function that is also called from
349the filter testing option (-bf). There are two versions: one for Exim filtering
350and one for Sieve filtering. Several features of string expansion may be locked
351out at sites that don't trust users. This is done by setting flags in
352expand_forbid that the expander inspects. */
353
354if (*filtertype != FILTER_FORWARD)
355 {
356 int frc;
357 int old_expand_forbid = expand_forbid;
358
23c7ff99 359 DEBUG(D_route) debug_printf("data is %s filter program\n",
f3ebb786 360 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
23c7ff99
PH		 361
362 /* RDO_FILTER is an "allow" bit */
8e669ac1 363
059ec3d9
PH		 364 if ((options & RDO_FILTER) == 0)
365 {
366 *error = US"filtering not enabled";
367 return FF_ERROR;
368 }
369
059ec3d9 370 expand_forbid =
f3ebb786 371 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
8e669ac1 372
23c7ff99 373 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
8e669ac1 374
23c7ff99
PH		 375 if (*filtertype == FILTER_EXIM)
376 {
377 if ((options & RDO_EXIM_FILTER) != 0)
378 {
379 *error = US"Exim filtering not enabled";
380 return FF_ERROR;
8e669ac1 381 }
23c7ff99 382 frc = filter_interpret(data, options, generated, error);
8e669ac1 383 }
23c7ff99
PH		 384 else
385 {
386 if ((options & RDO_SIEVE_FILTER) != 0)
387 {
388 *error = US"Sieve filtering not enabled";
389 return FF_ERROR;
390 }
e4a89c47 391 frc = sieve_interpret(data, options, sieve_vacation_directory,
efd9a422
MH		 392 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
393 generated, error);
8e669ac1 394 }
059ec3d9
PH		 395
396 expand_forbid = old_expand_forbid;
397 return frc;
398 }
399
400/* Not a filter script */
401
402DEBUG(D_route) debug_printf("file is not a filter file\n");
403
404return parse_forward_list(data,
405 options, /* specials that are allowed */
406 generated, /* where to hang them */
407 error, /* for errors */
408 deliver_domain, /* to qualify \name */
409 include_directory, /* restrain to directory */
410 eblockp); /* for skipped syntax errors */
411}
412
413
414
415
416/*************************************************
417* Write string down pipe *
418*************************************************/
419
1ac6b2e7 420/* This function is used for transferring a string down a pipe between
059ec3d9
PH		 421processes. If the pointer is NULL, a length of zero is written.
422
423Arguments:
424 fd the pipe
425 s the string
426
1ac6b2e7 427Returns: -1 on error, else 0
059ec3d9
PH		 428*/
429
1ac6b2e7 430static int
55414b25 431rda_write_string(int fd, const uschar *s)
059ec3d9 432{
847a015a
JH		 433int len = (s == NULL)? 0 : Ustrlen(s) + 1;
434return ( write(fd, &len, sizeof(int)) != sizeof(int)
435 || (s != NULL && write(fd, s, len) != len)
1ac6b2e7
JH		 436 )
437 ? -1 : 0;
059ec3d9
PH		 438}
439
440
441
442/*************************************************
443* Read string from pipe *
444*************************************************/
445
446/* This function is used for receiving a string from a pipe.
447
448Arguments:
449 fd the pipe
450 sp where to put the string
451
452Returns: FALSE if data missing
453*/
454
455static BOOL
456rda_read_string(int fd, uschar **sp)
457{
458int len;
459
847a015a 460if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
d88f0784
JH		 461if (len == 0)
462 *sp = NULL;
463else
464 /* We know we have enough memory so disable the error on "len" */
465 /* coverity[tainted_data] */
f3ebb786 466 /* We trust the data source, so untainted */
847a015a 467 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
059ec3d9
PH		 468return TRUE;
469}
470
471
472
473/*************************************************
474* Interpret forward list or filter *
475*************************************************/
476
477/* This function is passed a forward list string (unexpanded) or the name of a
478file (unexpanded) whose contents are the forwarding list. The list may in fact
479be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
aded2255 480types of filter, with different initial tag strings, may be introduced in due
059ec3d9
PH		 481course.
482
483The job of the function is to process the forwarding list or filter. It is
484pulled out into this separate function, because it is used for system filter
485files as well as from the redirect router.
486
487If the function is given a uid/gid, it runs a subprocess that passes the
488results back via a pipe. This provides security for things like :include:s in
489users' .forward files, and "logwrite" calls in users' filter files. A
490sub-process is NOT used when:
491
492 . No uid/gid is provided
493 . The input is a string which is not a filter string, and does not contain
494 :include:
495 . The input is a file whose non-existence can be detected in the main
496 process (which is usually running as root).
497
498Arguments:
499 rdata redirect data (file + constraints, or data string)
500 options options to pass to the extraction functions,
501 plus ENOTDIR and EACCES handling bits
502 include_directory restrain :include: to this directory
efd9a422
MH		 503 sieve_vacation_directory directory passed to sieve_interpret
504 sieve_enotify_mailto_owner passed to sieve_interpret
e4a89c47
PH		 505 sieve_useraddress passed to sieve_interpret
506 sieve_subaddress passed to sieve_interpret
059ec3d9
PH		 507 ugid uid/gid to run under - if NULL, no change
508 generated where to hang generated addresses, initially NULL
509 error pointer for error message
510 eblockp for skipped syntax errors; NULL if no skipping
511 filtertype set to the type of file:
512 FILTER_FORWARD => traditional .forward file
513 FILTER_EXIM => an Exim filter file
514 FILTER_SIEVE => a Sieve filter file
515 a system filter is always forced to be FILTER_EXIM
516 rname router name for error messages in the format
517 "xxx router" or "system filter"
518
519Returns: values from extraction function, or FF_NONEXIST:
520 FF_DELIVERED success, a significant action was taken
521 FF_NOTDELIVERED success, no significant action
522 FF_BLACKHOLE :blackhole:
523 FF_DEFER defer requested
524 FF_FAIL fail requested
525 FF_INCLUDEFAIL some problem with :include:
526 FF_FREEZE freeze requested
527 FF_ERROR there was a problem
528 FF_NONEXIST the file does not exist
529*/
530
531int
532rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
efd9a422
MH		 533 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
534 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
535 address_item **generated, uschar **error, error_block **eblockp,
536 int *filtertype, uschar *rname)
059ec3d9
PH		 537{
538int fd, rc, pfd[2];
539int yield, status;
540BOOL had_disaster = FALSE;
541pid_t pid;
542uschar *data;
543uschar *readerror = US"";
544void (*oldsignal)(int);
545
f3ebb786
JH		 546DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
547 rdata->isfile ? "file" : "string", string_printing(rdata->string));
059ec3d9
PH		 548
549/* Do the expansions of the file name or data first, while still privileged. */
550
f3ebb786 551if (!(data = expand_string(rdata->string)))
059ec3d9 552 {
8768d548 553 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
059ec3d9
PH		 554 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
555 expand_string_message);
556 return FF_ERROR;
557 }
558rdata->string = data;
559
0d2e392e
JH		 560DEBUG(D_route)
561 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
059ec3d9
PH		 562
563if (rdata->isfile && data[0] != '/')
564 {
565 *error = string_sprintf("\"%s\" is not an absolute path", data);
566 return FF_ERROR;
567 }
568
569/* If no uid/gid are supplied, or if we have a data string which does not start
570with #Exim filter or #Sieve filter, and does not contain :include:, do all the
571work in this process. Note that for a system filter, we always have a file, so
572the work is done in this process only if no user is supplied. */
573
574if (!ugid->uid_set || /* Either there's no uid, or */
575 (!rdata->isfile && /* We've got the data, and */
576 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
577 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
578 {
579 return rda_extract(rdata, options, include_directory,
efd9a422
MH		 580 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
581 sieve_subaddress, generated, error, eblockp, filtertype);
059ec3d9
PH		 582 }
583
584/* We need to run the processing code in a sub-process. However, if we can
585determine the non-existence of a file first, we can decline without having to
586create the sub-process. */
587
588if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
589 return FF_NONEXIST;
590
591/* If the file does exist, or we can't tell (non-root mounted NFS directory)
592we have to create the subprocess to do everything as the given user. The
593results of processing are passed back via a pipe. */
594
595if (pipe(pfd) != 0)
596 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
597 ":include: failed for %s: %s", rname, strerror(errno));
598
599/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
600process can be waited for. We sometimes get here with it set otherwise. Save
af46795e
PH		 601the old state for resetting on the wait. Ensure that all cached resources are
602freed so that the subprocess starts with a clean slate and doesn't interfere
603with the parent process. */
059ec3d9
PH		 604
605oldsignal = signal(SIGCHLD, SIG_DFL);
af46795e
PH		 606search_tidyup();
607
059ec3d9
PH		 608if ((pid = fork()) == 0)
609 {
610 header_line *waslast = header_last; /* Save last header */
611
612 fd = pfd[pipe_write];
f1e894f3 613 (void)close(pfd[pipe_read]);
059ec3d9
PH		 614 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
615
616 /* Addresses can get rewritten in filters; if we are not root or the exim
617 user (and we probably are not), turn off rewrite logging, because we cannot
618 write to the log now. */
619
620 if (ugid->uid != root_uid && ugid->uid != exim_uid)
621 {
622 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
623 "root or exim in this process)\n");
6c6d6e48 624 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
059ec3d9
PH		 625 }
626
627 /* Now do the business */
628
629 yield = rda_extract(rdata, options, include_directory,
efd9a422
MH		 630 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
631 sieve_subaddress, generated, error, eblockp, filtertype);
059ec3d9
PH		 632
633 /* Pass back whether it was a filter, and the return code and any overall
634 error text via the pipe. */
635
847a015a
JH		 636 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
637 || write(fd, &yield, sizeof(int)) != sizeof(int)
1ac6b2e7
JH		 638 || rda_write_string(fd, *error) != 0
639 )
640 goto bad;
059ec3d9
PH		 641
642 /* Pass back the contents of any syntax error blocks if we have a pointer */
643
d7978c0f 644 if (eblockp)
059ec3d9 645 {
d7978c0f 646 for (error_block * ep = *eblockp; ep; ep = ep->next)
1ac6b2e7
JH		 647 if ( rda_write_string(fd, ep->text1) != 0
648 || rda_write_string(fd, ep->text2) != 0
649 )
650 goto bad;
651 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
652 goto bad;
059ec3d9
PH		 653 }
654
655 /* If this is a system filter, we have to pass back the numbers of any
656 original header lines that were removed, and then any header lines that were
657 added but not subsequently removed. */
658
8768d548 659 if (f.system_filtering)
059ec3d9
PH		 660 {
661 int i = 0;
d7978c0f 662 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
1ac6b2e7 663 if ( h->type == htype_old
847a015a 664 && write(fd, &i, sizeof(i)) != sizeof(i)
1ac6b2e7
JH		 665 )
666 goto bad;
667
059ec3d9 668 i = -1;
847a015a 669 if (write(fd, &i, sizeof(i)) != sizeof(i))
1ac6b2e7 670 goto bad;
059ec3d9
PH		 671
672 while (waslast != header_last)
673 {
674 waslast = waslast->next;
675 if (waslast->type != htype_old)
1ac6b2e7 676 if ( rda_write_string(fd, waslast->text) != 0
847a015a 677 || write(fd, &(waslast->type), sizeof(waslast->type))
1ac6b2e7
JH		 678 != sizeof(waslast->type)
679 )
680 goto bad;
059ec3d9 681 }
1ac6b2e7
JH		 682 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
683 goto bad;
059ec3d9
PH		 684 }
685
686 /* Write the contents of the $n variables */
687
847a015a 688 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
1ac6b2e7 689 goto bad;
059ec3d9
PH		 690
691 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
692 addresses, and their associated information, through the pipe. This is
693 just tedious, but it seems to be the only safe way. We do this also for
694 FAIL and FREEZE, because a filter is allowed to set up deliveries that
695 are honoured before freezing or failing. */
696
697 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
698 yield == FF_FAIL || yield == FF_FREEZE)
699 {
d7978c0f 700 for (address_item * addr = *generated; addr; addr = addr->next)
059ec3d9
PH		 701 {
702 int reply_options = 0;
25beaee4 703 int ig_err = addr->prop.ignore_error ? 1 : 0;
059ec3d9 704
1ac6b2e7 705 if ( rda_write_string(fd, addr->address) != 0
847a015a
JH		 706 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
707 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
d43cbe25 708 || rda_write_string(fd, addr->prop.errors_address) != 0
847a015a 709 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
1ac6b2e7
JH		 710 )
711 goto bad;
059ec3d9 712
7eb0e5d2 713 if (addr->pipe_expandn)
d7978c0f 714 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
1ac6b2e7
JH		 715 if (rda_write_string(fd, *pp) != 0)
716 goto bad;
1ac6b2e7
JH		 717 if (rda_write_string(fd, NULL) != 0)
718 goto bad;
059ec3d9 719
7eb0e5d2 720 if (!addr->reply)
1ac6b2e7 721 {
847a015a 722 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
1ac6b2e7
JH		 723 goto bad;
724 }
059ec3d9
PH		 725 else
726 {
727 reply_options |= REPLY_EXISTS;
728 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
729 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
847a015a
JH		 730 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
731 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
1ac6b2e7 732 != sizeof(int)
847a015a 733 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
1ac6b2e7
JH		 734 != sizeof(time_t)
735 || rda_write_string(fd, addr->reply->to) != 0
736 || rda_write_string(fd, addr->reply->cc) != 0
737 || rda_write_string(fd, addr->reply->bcc) != 0
738 || rda_write_string(fd, addr->reply->from) != 0
739 || rda_write_string(fd, addr->reply->reply_to) != 0
740 || rda_write_string(fd, addr->reply->subject) != 0
741 || rda_write_string(fd, addr->reply->headers) != 0
742 || rda_write_string(fd, addr->reply->text) != 0
743 || rda_write_string(fd, addr->reply->file) != 0
744 || rda_write_string(fd, addr->reply->logfile) != 0
745 || rda_write_string(fd, addr->reply->oncelog) != 0
746 )
747 goto bad;
059ec3d9
PH		 748 }
749 }
750
1ac6b2e7
JH		 751 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
752 goto bad;
059ec3d9
PH		 753 }
754
af46795e
PH		 755 /* OK, this process is now done. Free any cached resources. Must use _exit()
756 and not exit() !! */
059ec3d9 757
1ac6b2e7 758out:
f1e894f3 759 (void)close(fd);
af46795e 760 search_tidyup();
f3ebb786 761 exim_underbar_exit(0);
1ac6b2e7
JH		 762
763bad:
764 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
765 goto out;
059ec3d9
PH		 766 }
767
768/* Back in the main process: panic if the fork did not succeed. */
769
770if (pid < 0)
771 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
772
773/* Read the pipe to get the data from the filter/forward. Our copy of the
774writing end must be closed first, as otherwise read() won't return zero on an
775empty pipe. Afterwards, close the reading end. */
776
f1e894f3 777(void)close(pfd[pipe_write]);
059ec3d9
PH		 778
779/* Read initial data, including yield and contents of *error */
780
781fd = pfd[pipe_read];
847a015a
JH		 782if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
783 read(fd, &yield, sizeof(int)) != sizeof(int) ||
059ec3d9
PH		 784 !rda_read_string(fd, error)) goto DISASTER;
785
059ec3d9
PH		 786/* Read the contents of any syntax error blocks if we have a pointer */
787
8cfd0f7b 788if (eblockp)
059ec3d9 789 {
059ec3d9 790 error_block *e;
d7978c0f 791 for (error_block ** p = eblockp; ; p = &e->next)
059ec3d9 792 {
8cfd0f7b 793 uschar *s;
059ec3d9 794 if (!rda_read_string(fd, &s)) goto DISASTER;
8cfd0f7b 795 if (!s) break;
f3ebb786 796 e = store_get(sizeof(error_block), FALSE);
059ec3d9
PH		 797 e->next = NULL;
798 e->text1 = s;
799 if (!rda_read_string(fd, &s)) goto DISASTER;
800 e->text2 = s;
801 *p = e;
059ec3d9
PH		 802 }
803 }
804
805/* If this is a system filter, read the identify of any original header lines
806that were removed, and then read data for any new ones that were added. */
807
8768d548 808if (f.system_filtering)
059ec3d9
PH		 809 {
810 int hn = 0;
811 header_line *h = header_list;
812
813 for (;;)
814 {
815 int n;
847a015a 816 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
059ec3d9
PH		 817 if (n < 0) break;
818 while (hn < n)
819 {
820 hn++;
8cfd0f7b 821 if (!(h = h->next)) goto DISASTER_NO_HEADER;
059ec3d9
PH		 822 }
823 h->type = htype_old;
824 }
825
826 for (;;)
827 {
828 uschar *s;
829 int type;
830 if (!rda_read_string(fd, &s)) goto DISASTER;
8cfd0f7b 831 if (!s) break;
847a015a 832 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
059ec3d9
PH		 833 header_add(type, "%s", s);
834 }
835 }
836
837/* Read the values of the $n variables */
838
847a015a 839if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
059ec3d9
PH		 840
841/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
842addresses and data to go with them. Keep them in the same order in the
843generated chain. */
844
845if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
846 yield == FF_FAIL || yield == FF_FREEZE)
847 {
848 address_item **nextp = generated;
849
850 for (;;)
851 {
852 int i, reply_options;
853 address_item *addr;
854 uschar *recipient;
855 uschar *expandn[EXPAND_MAXN + 2];
856
857 /* First string is the address; NULL => end of addresses */
858
859 if (!rda_read_string(fd, &recipient)) goto DISASTER;
f3ebb786 860 if (!recipient) break;
059ec3d9
PH		 861
862 /* Hang on the end of the chain */
863
864 addr = deliver_make_addr(recipient, FALSE);
865 *nextp = addr;
866 nextp = &(addr->next);
867
868 /* Next comes the mode and the flags fields */
869
847a015a
JH		 870 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
871 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
25beaee4 872 || !rda_read_string(fd, &addr->prop.errors_address)
847a015a 873 || read(fd, &i, sizeof(i)) != sizeof(i)
25beaee4
MK		 874 )
875 goto DISASTER;
876 addr->prop.ignore_error = (i != 0);
059ec3d9
PH		 877
878 /* Next comes a possible setting for $thisaddress and any numerical
879 variables for pipe expansion, terminated by a NULL string. The maximum
880 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
881 into the zeroth item in the vector - this is sorted out inside the pipe
882 transport. */
883
884 for (i = 0; i < EXPAND_MAXN + 1; i++)
885 {
886 uschar *temp;
887 if (!rda_read_string(fd, &temp)) goto DISASTER;
888 if (i == 0) filter_thisaddress = temp; /* Just in case */
889 expandn[i] = temp;
890 if (temp == NULL) break;
891 }
892
893 if (i > 0)
894 {
f3ebb786 895 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
059ec3d9
PH		 896 addr->pipe_expandn[i] = NULL;
897 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
898 }
899
900 /* Then an int containing reply options; zero => no reply data. */
901
847a015a 902 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
059ec3d9
PH		 903 if ((reply_options & REPLY_EXISTS) != 0)
904 {
f3ebb786 905 addr->reply = store_get(sizeof(reply_item), FALSE);
059ec3d9
PH		 906
907 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
908 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
909
847a015a 910 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
059ec3d9 911 sizeof(int) ||
847a015a 912 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
059ec3d9
PH		 913 sizeof(time_t) ||
914 !rda_read_string(fd, &(addr->reply->to)) ||
915 !rda_read_string(fd, &(addr->reply->cc)) ||
916 !rda_read_string(fd, &(addr->reply->bcc)) ||
917 !rda_read_string(fd, &(addr->reply->from)) ||
918 !rda_read_string(fd, &(addr->reply->reply_to)) ||
919 !rda_read_string(fd, &(addr->reply->subject)) ||
920 !rda_read_string(fd, &(addr->reply->headers)) ||
921 !rda_read_string(fd, &(addr->reply->text)) ||
922 !rda_read_string(fd, &(addr->reply->file)) ||
923 !rda_read_string(fd, &(addr->reply->logfile)) ||
924 !rda_read_string(fd, &(addr->reply->oncelog)))
925 goto DISASTER;
926 }
927 }
928 }
929
930/* All data has been transferred from the sub-process. Reap it, close the
931reading end of the pipe, and we are done. */
932
933WAIT_EXIT:
934while ((rc = wait(&status)) != pid)
935 {
936 if (rc < 0 && errno == ECHILD) /* Process has vanished */
937 {
938 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
939 goto FINAL_EXIT;
940 }
941 }
942
1921d2ea
PH		 943DEBUG(D_route)
944 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
945
059ec3d9
PH		 946if (had_disaster)
947 {
948 *error = string_sprintf("internal problem in %s: failure to transfer "
949 "data from subprocess: status=%04x%s%s%s", rname,
950 status, readerror,
951 (*error == NULL)? US"" : US": error=",
952 (*error == NULL)? US"" : *error);
953 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
954 }
955else if (status != 0)
956 {
957 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
958 "%04x from redirect subprocess (but data correctly received)", rname,
959 status);
960 }
961
962FINAL_EXIT:
f1e894f3 963(void)close(fd);
059ec3d9
PH		 964signal(SIGCHLD, oldsignal); /* restore */
965return yield;
966
967
968/* Come here if the data indicates removal of a header that we can't find */
969
970DISASTER_NO_HEADER:
971readerror = US" readerror=bad header identifier";
972had_disaster = TRUE;
973yield = FF_ERROR;
974goto WAIT_EXIT;
975
976/* Come here is there's a shambles in transferring the data over the pipe. The
977value of errno should still be set. */
978
979DISASTER:
980readerror = string_sprintf(" readerror='%s'", strerror(errno));
981had_disaster = TRUE;
982yield = FF_ERROR;
983goto WAIT_EXIT;
984}
985
986/* End of rda.c */
Unnamed repository; edit this file 'description' to name the repository.