projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Docs: clean for next release
[exim.git] / src / src / spool_in.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for reading spool files. When compiling for a utility (eximon),
9not all are needed, and some functionality can be cut out. */
10
11
12#include "exim.h"
13
14
15
16#ifndef COMPILE_UTILITY
17/*************************************************
18* Open and lock data file *
19*************************************************/
20
21/* The data file is the one that is used for locking, because the header file
22can get replaced during delivery because of header rewriting. The file has
23to opened with write access so that we can get an exclusive lock, but in
24fact it won't be written to. Just in case there's a major disaster (e.g.
25overwriting some other file descriptor with the value of this one), open it
26with append.
27
92b0827a
JH		 28As called by deliver_message() (at least) we are operating as root.
29
059ec3d9 30Argument: the id of the message
789f8a4f 31Returns: fd if file successfully opened and locked, else -1
059ec3d9 32
789f8a4f 33Side effect: message_subdir is set for the (possibly split) spool directory
059ec3d9
PH		 34*/
35
789f8a4f 36int
059ec3d9
PH		 37spool_open_datafile(uschar *id)
38{
39int i;
40struct stat statbuf;
41flock_t lock_data;
789f8a4f 42int fd;
059ec3d9
PH		 43
44/* If split_spool_directory is set, first look for the file in the appropriate
45sub-directory of the input directory. If it is not found there, try the input
46directory itself, to pick up leftovers from before the splitting. If split_
47spool_directory is not set, first look in the main input directory. If it is
48not found there, try the split sub-directory, in case it is left over from a
49splitting state. */
50
51for (i = 0; i < 2; i++)
52 {
41313d92 53 uschar * fname;
059ec3d9 54 int save_errno;
9befa1ca 55
4dc2379a 56 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
41313d92
JH		 57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
a2da3176 59
92b0827a
JH		 60 if ((fd = Uopen(fname,
61#ifdef O_CLOEXEC
62 O_CLOEXEC |
63#endif
64 O_RDWR | O_APPEND, 0)) >= 0)
789f8a4f 65 break;
059ec3d9
PH		 66 save_errno = errno;
67 if (errno == ENOENT)
68 {
69 if (i == 0) continue;
70 if (!queue_running)
9befa1ca 71 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
12cf7615
JH		 72 *queue_name ? US" Q=" : US"",
73 *queue_name ? queue_name : US"",
9befa1ca 74 id);
059ec3d9 75 }
9befa1ca
JH		 76 else
77 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
059ec3d9 78 errno = save_errno;
789f8a4f 79 return -1;
059ec3d9
PH		 80 }
81
82/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
83the file. We lock only the first line of the file (containing the message ID)
84because this apparently is needed for running Exim under Cygwin. If the entire
85file is locked in one process, a sub-process cannot access it, even when passed
86an open file descriptor (at least, I think that's the Cygwin story). On real
87Unix systems it doesn't make any difference as long as Exim is consistent in
88what it locks. */
89
92b0827a
JH		 90#ifndef O_CLOEXEC
91(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
92#endif
059ec3d9
PH		 93
94lock_data.l_type = F_WRLCK;
95lock_data.l_whence = SEEK_SET;
96lock_data.l_start = 0;
97lock_data.l_len = SPOOL_DATA_START_OFFSET;
98
789f8a4f 99if (fcntl(fd, F_SETLK, &lock_data) < 0)
059ec3d9
PH		 100 {
101 log_write(L_skip_delivery,
102 LOG_MAIN,
103 "Spool file is locked (another process is handling this message)");
789f8a4f 104 (void)close(fd);
059ec3d9 105 errno = 0;
789f8a4f 106 return -1;
059ec3d9
PH		 107 }
108
109/* Get the size of the data; don't include the leading filename line
110in the count, but add one for the newline before the data. */
111
789f8a4f 112if (fstat(fd, &statbuf) == 0)
059ec3d9
PH		 113 {
114 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
115 message_size = message_body_size + 1;
116 }
117
789f8a4f 118return fd;
059ec3d9
PH		 119}
120#endif /* COMPILE_UTILITY */
121
122
123
124/*************************************************
125* Read non-recipients tree from spool file *
126*************************************************/
127
128/* The tree of non-recipients is written to the spool file in a form that
129makes it easy to read back into a tree. The format is as follows:
130
131 . Each node is preceded by two letter(Y/N) indicating whether it has left
132 or right children. There's one space after the two flags, before the name.
133
134 . The left subtree (if any) then follows, then the right subtree (if any).
135
136This function is entered with the next input line in the buffer. Note we must
137save the right flag before recursing with the same buffer.
138
139Once the tree is read, we re-construct the balance fields by scanning the tree.
140I forgot to write them out originally, and the compatible fix is to do it this
141way. This initial local recursing function does the necessary.
142
143Arguments:
144 node tree node
145
146Returns: maximum depth below the node, including the node itself
147*/
148
149static int
150count_below(tree_node *node)
151{
152int nleft, nright;
153if (node == NULL) return 0;
154nleft = count_below(node->left);
155nright = count_below(node->right);
156node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
157return 1 + ((nleft > nright)? nleft : nright);
158}
159
160/* This is the real function...
161
162Arguments:
163 connect pointer to the root of the tree
164 f FILE to read data from
165 buffer contains next input line; further lines read into it
166 buffer_size size of the buffer
167
168Returns: FALSE on format error
169*/
170
171static BOOL
172read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
173 int buffer_size)
174{
175tree_node *node;
176int n = Ustrlen(buffer);
177BOOL right = buffer[1] == 'Y';
178
179if (n < 5) return FALSE; /* malformed line */
180buffer[n-1] = 0; /* Remove \n */
181node = store_get(sizeof(tree_node) + n - 3);
182*connect = node;
183Ustrcpy(node->name, buffer + 3);
184node->data.ptr = NULL;
185
186if (buffer[0] == 'Y')
187 {
188 if (Ufgets(buffer, buffer_size, f) == NULL ||
189 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
190 return FALSE;
191 }
192else node->left = NULL;
193
194if (right)
195 {
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
198 return FALSE;
199 }
200else node->right = NULL;
201
202(void) count_below(*connect);
203return TRUE;
204}
205
206
207
208
059ec3d9
PH		 209/* Reset all the global variables to their default values. However, there is
210one exception. DO NOT change the default value of dont_deliver, because it may
211be forced by an external setting. */
212
4b4856ff
JH		 213void
214spool_clear_header_globals(void)
215{
38a0a95f 216acl_var_c = acl_var_m = NULL;
059ec3d9
PH		 217authenticated_id = NULL;
218authenticated_sender = NULL;
219allow_unqualified_recipient = FALSE;
220allow_unqualified_sender = FALSE;
221body_linecount = 0;
222body_zerocount = 0;
223deliver_firsttime = FALSE;
224deliver_freeze = FALSE;
225deliver_frozen_at = 0;
226deliver_manual_thaw = FALSE;
227/* dont_deliver must NOT be reset */
228header_list = header_last = NULL;
b08b24c8 229host_lookup_deferred = FALSE;
059ec3d9
PH		 230host_lookup_failed = FALSE;
231interface_address = NULL;
232interface_port = 0;
233local_error_message = FALSE;
234local_scan_data = NULL;
d677b2f2 235max_received_linelength = 0;
059ec3d9
PH		 236message_linecount = 0;
237received_protocol = NULL;
238received_count = 0;
239recipients_list = NULL;
240sender_address = NULL;
241sender_fullhost = NULL;
242sender_helo_name = NULL;
243sender_host_address = NULL;
244sender_host_name = NULL;
245sender_host_port = 0;
246sender_host_authenticated = NULL;
247sender_ident = NULL;
248sender_local = FALSE;
249sender_set_untrusted = FALSE;
1f5b4c3d 250smtp_active_hostname = primary_hostname;
328c5688
JH		 251#ifndef COMPILE_UTILITY
252spool_file_wireformat = FALSE;
253#endif
059ec3d9
PH		 254tree_nonrecipients = NULL;
255
8523533c
TK		 256#ifdef EXPERIMENTAL_BRIGHTMAIL
257bmi_run = 0;
258bmi_verdicts = NULL;
259#endif
260
80a47a2c 261#ifndef DISABLE_DKIM
9e5d6b55 262dkim_signers = NULL;
80a47a2c
TK		 263dkim_disable_verify = FALSE;
264dkim_collect_input = FALSE;
f7572e5a
TK		 265#endif
266
059ec3d9 267#ifdef SUPPORT_TLS
817d9f57 268tls_in.certificate_verified = FALSE;
c0635b6d 269# ifdef SUPPORT_DANE
53a7196b
JH		 270tls_in.dane_verified = FALSE;
271# endif
817d9f57 272tls_in.cipher = NULL;
790fbb71
JH		 273# ifndef COMPILE_UTILITY /* tls support fns not built in */
274tls_free_cert(&tls_in.ourcert);
275tls_free_cert(&tls_in.peercert);
276# endif
817d9f57
JH		 277tls_in.peerdn = NULL;
278tls_in.sni = NULL;
44662487 279tls_in.ocsp = OCSP_NOT_REQ;
7be682ca 280#endif
059ec3d9 281
8523533c 282#ifdef WITH_CONTENT_SCAN
3481c572
JH		 283spam_bar = NULL;
284spam_score = NULL;
8523533c
TK		 285spam_score_int = NULL;
286#endif
287
8c5d388a 288#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
7ade712c 289message_smtputf8 = FALSE;
3c8b3577 290message_utf8_downconvert = 0;
7ade712c
JH		 291#endif
292
6c1c3d1d
WB		 293dsn_ret = 0;
294dsn_envid = NULL;
4b4856ff
JH		 295}
296
297
298/*************************************************
299* Read spool header file *
300*************************************************/
301
302/* This function reads a spool header file and places the data into the
303appropriate global variables. The header portion is always read, but header
304structures are built only if read_headers is set true. It isn't, for example,
305while generating -bp output.
306
307It may be possible for blocks of nulls (binary zeroes) to get written on the
308end of a file if there is a system crash during writing. It was observed on an
309earlier version of Exim that omitted to fsync() the files - this is thought to
310have been the cause of that incident, but in any case, this code must be robust
311against such an event, and if such a file is encountered, it must be treated as
312malformed.
313
314As called from deliver_message() (at least) we are running as root.
315
316Arguments:
317 name name of the header file, including the -H
318 read_headers TRUE if in-store header structures are to be built
319 subdir_set TRUE is message_subdir is already set
320
321Returns: spool_read_OK success
322 spool_read_notopen open failed
323 spool_read_enverror error in the envelope portion
324 spool_read_hdrerror error in the header portion
325*/
326
327int
328spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
329{
330FILE *f = NULL;
331int n;
332int rcount = 0;
333long int uid, gid;
334BOOL inheader = FALSE;
335uschar *p;
336
337/* Reset all the global variables to their default values. However, there is
338one exception. DO NOT change the default value of dont_deliver, because it may
339be forced by an external setting. */
340
341spool_clear_header_globals();
6c1c3d1d 342
059ec3d9
PH		 343/* Generate the full name and open the file. If message_subdir is already
344set, just look in the given directory. Otherwise, look in both the split
345and unsplit directories, as for the data file above. */
346
347for (n = 0; n < 2; n++)
348 {
349 if (!subdir_set)
a2da3176 350 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
41313d92
JH		 351
352 if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
353 break;
354 if (n != 0 || subdir_set || errno != ENOENT)
355 return spool_read_notopen;
059ec3d9
PH		 356 }
357
358errno = 0;
359
360#ifndef COMPILE_UTILITY
361DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
362#endif /* COMPILE_UTILITY */
363
364/* The first line of a spool file contains the message id followed by -H (i.e.
365the file name), in order to make the file self-identifying. */
366
367if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
368if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
369 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
370 goto SPOOL_FORMAT_ERROR;
371
372/* The next three lines in the header file are in a fixed format. The first
373contains the login, uid, and gid of the user who caused the file to be written.
ebb6e6d5
PH		 374There are known cases where a negative gid is used, so we allow for both
375negative uids and gids. The second contains the mail address of the message's
376sender, enclosed in <>. The third contains the time the message was received,
377and the number of warning messages for delivery delays that have been sent. */
059ec3d9
PH		 378
379if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
380
1e70f85b
PH		 381p = big_buffer + Ustrlen(big_buffer);
382while (p > big_buffer && isspace(p[-1])) p--;
383*p = 0;
384if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
ebb6e6d5 385while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
1e70f85b
PH		 386gid = Uatoi(p);
387if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
388*p = 0;
389if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
ebb6e6d5 390while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
1e70f85b
PH		 391uid = Uatoi(p);
392if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
393*p = 0;
8e669ac1 394
1e70f85b 395originator_login = string_copy(big_buffer);
059ec3d9
PH		 396originator_uid = (uid_t)uid;
397originator_gid = (gid_t)gid;
398
e91ad4a7 399/* envelope from */
059ec3d9
PH		 400if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
401n = Ustrlen(big_buffer);
402if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
403 goto SPOOL_FORMAT_ERROR;
404
405sender_address = store_get(n-2);
406Ustrncpy(sender_address, big_buffer+1, n-3);
407sender_address[n-3] = 0;
408
e91ad4a7 409/* time */
059ec3d9 410if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
32dfdf8b 411if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
059ec3d9 412 goto SPOOL_FORMAT_ERROR;
32dfdf8b 413received_time.tv_usec = 0;
059ec3d9 414
32dfdf8b 415message_age = time(NULL) - received_time.tv_sec;
059ec3d9
PH		 416
417#ifndef COMPILE_UTILITY
418DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
419 originator_login, (long int)originator_uid, (long int)originator_gid,
420 sender_address);
421#endif /* COMPILE_UTILITY */
422
08955dd3
PH		 423/* Now there may be a number of optional lines, each starting with "-". If you
424add a new setting here, make sure you set the default above.
059ec3d9 425
08955dd3
PH		 426Because there are now quite a number of different possibilities, we use a
427switch on the first character to avoid too many failing tests. Thanks to Nico
428Erfurth for the patch that implemented this. I have made it even more efficient
429by not re-scanning the first two characters.
430
431To allow new versions of Exim that add additional flags to interwork with older
432versions that do not understand them, just ignore any lines starting with "-"
433that we don't recognize. Otherwise it wouldn't be possible to back off a new
434version that left new-style flags written on the spool. */
435
436p = big_buffer + 2;
059ec3d9
PH		 437for (;;)
438 {
e91ad4a7 439 int len;
059ec3d9
PH		 440 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
441 if (big_buffer[0] != '-') break;
e91ad4a7
JH		 442 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
443 && big_buffer[len-1] != '\n'
444 )
445 { /* buffer not big enough for line; certs make this possible */
446 uschar * buf;
447 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
448 buf = store_get_perm(big_buffer_size *= 2);
449 memcpy(buf, big_buffer, --len);
450 big_buffer = buf;
451 if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
452 goto SPOOL_READ_ERROR;
453 }
454 big_buffer[len-1] = 0;
47ca6d6c 455
08955dd3 456 switch(big_buffer[1])
059ec3d9 457 {
08955dd3
PH		 458 case 'a':
459
460 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
461 variable, because Exim allows any number of them, with arbitrary names.
462 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
463 the c or m. */
464
465 if (Ustrncmp(p, "clc ", 4) == 0 ||
466 Ustrncmp(p, "clm ", 4) == 0)
467 {
468 uschar *name, *endptr;
469 int count;
470 tree_node *node;
471 endptr = Ustrchr(big_buffer + 6, ' ');
472 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
bb07bcd3
JH		 473 name = string_sprintf("%c%.*s", big_buffer[4],
474 (int)(endptr - big_buffer - 6), big_buffer + 6);
08955dd3
PH		 475 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
476 node = acl_var_create(name);
477 node->data.ptr = store_get(count + 1);
478 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
479 ((uschar*)node->data.ptr)[count] = 0;
480 }
481
482 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
483 allow_unqualified_recipient = TRUE;
484 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
485 allow_unqualified_sender = TRUE;
486
487 else if (Ustrncmp(p, "uth_id", 6) == 0)
488 authenticated_id = string_copy(big_buffer + 9);
489 else if (Ustrncmp(p, "uth_sender", 10) == 0)
490 authenticated_sender = string_copy(big_buffer + 13);
491 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
492 smtp_active_hostname = string_copy(big_buffer + 17);
493
494 /* For long-term backward compatibility, we recognize "-acl", which was
495 used before the number of ACL variables changed from 10 to 20. This was
496 before the subsequent change to an arbitrary number of named variables.
497 This code is retained so that upgrades from very old versions can still
498 handle old-format spool files. The value given after "-acl" is a number
499 that is 0-9 for connection variables, and 10-19 for message variables. */
500
501 else if (Ustrncmp(p, "cl ", 3) == 0)
502 {
4dc2379a
JH		 503 unsigned index, count;
504 uschar name[20]; /* Need plenty of space for %u format */
505 tree_node * node;
506 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
806c3df9 507 || index >= 20
f267271d 508 || count > 16384 /* arbitrary limit on variable size */
806c3df9 509 )
08955dd3 510 goto SPOOL_FORMAT_ERROR;
8dce1a6f 511 if (index < 10)
4dc2379a 512 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
806c3df9 513 else
4dc2379a 514 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
08955dd3
PH		 515 node = acl_var_create(name);
516 node->data.ptr = store_get(count + 1);
f267271d
JH		 517 /* We sanity-checked the count, so disable the Coverity error */
518 /* coverity[tainted_data] */
08955dd3 519 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
4dc2379a 520 (US node->data.ptr)[count] = '\0';
08955dd3
PH		 521 }
522 break;
523
524 case 'b':
525 if (Ustrncmp(p, "ody_linecount", 13) == 0)
526 body_linecount = Uatoi(big_buffer + 15);
527 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
528 body_zerocount = Uatoi(big_buffer + 15);
e91ad4a7 529#ifdef EXPERIMENTAL_BRIGHTMAIL
08955dd3
PH		 530 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
531 bmi_verdicts = string_copy(big_buffer + 14);
e91ad4a7 532#endif
08955dd3
PH		 533 break;
534
535 case 'd':
536 if (Ustrcmp(p, "eliver_firsttime") == 0)
537 deliver_firsttime = TRUE;
6c1c3d1d
WB		 538 /* Check if the dsn flags have been set in the header file */
539 else if (Ustrncmp(p, "sn_ret", 6) == 0)
45500060 540 dsn_ret= atoi(CS big_buffer + 8);
6c1c3d1d 541 else if (Ustrncmp(p, "sn_envid", 8) == 0)
6c1c3d1d 542 dsn_envid = string_copy(big_buffer + 11);
08955dd3
PH		 543 break;
544
545 case 'f':
546 if (Ustrncmp(p, "rozen", 5) == 0)
547 {
548 deliver_freeze = TRUE;
dc8091e7
JH		 549 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
550 goto SPOOL_READ_ERROR;
08955dd3
PH		 551 }
552 break;
553
554 case 'h':
555 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
556 host_lookup_deferred = TRUE;
557 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
558 host_lookup_failed = TRUE;
559 else if (Ustrncmp(p, "ost_auth", 8) == 0)
560 sender_host_authenticated = string_copy(big_buffer + 11);
561 else if (Ustrncmp(p, "ost_name", 8) == 0)
562 sender_host_name = string_copy(big_buffer + 11);
563 else if (Ustrncmp(p, "elo_name", 8) == 0)
564 sender_helo_name = string_copy(big_buffer + 11);
565
566 /* We now record the port number after the address, separated by a
567 dot. For compatibility during upgrading, do nothing if there
568 isn't a value (it gets left at zero). */
569
570 else if (Ustrncmp(p, "ost_address", 11) == 0)
571 {
572 sender_host_port = host_address_extract_port(big_buffer + 14);
573 sender_host_address = string_copy(big_buffer + 14);
574 }
575 break;
576
577 case 'i':
578 if (Ustrncmp(p, "nterface_address", 16) == 0)
579 {
580 interface_port = host_address_extract_port(big_buffer + 19);
581 interface_address = string_copy(big_buffer + 19);
582 }
583 else if (Ustrncmp(p, "dent", 4) == 0)
584 sender_ident = string_copy(big_buffer + 7);
585 break;
586
587 case 'l':
32dfdf8b
JH		 588 if (Ustrcmp(p, "ocal") == 0)
589 sender_local = TRUE;
08955dd3
PH		 590 else if (Ustrcmp(big_buffer, "-localerror") == 0)
591 local_error_message = TRUE;
592 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
593 local_scan_data = string_copy(big_buffer + 12);
594 break;
595
596 case 'm':
597 if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
d677b2f2
PH		 598 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
599 max_received_linelength = Uatoi(big_buffer + 24);
08955dd3
PH		 600 break;
601
602 case 'N':
603 if (*p == 0) dont_deliver = TRUE; /* -N */
604 break;
605
606 case 'r':
607 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
608 received_protocol = string_copy(big_buffer + 19);
32dfdf8b
JH		 609 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
610 {
611 unsigned usec;
612 if (sscanf(CS big_buffer + 21, "%u", &usec) == 1)
613 received_time.tv_usec = usec;
614 }
08955dd3
PH		 615 break;
616
617 case 's':
618 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
619 sender_set_untrusted = TRUE;
e91ad4a7 620#ifdef WITH_CONTENT_SCAN
3481c572
JH		 621 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
622 spam_bar = string_copy(big_buffer + 10);
623 else if (Ustrncmp(p, "pam_score ", 10) == 0)
624 spam_score = string_copy(big_buffer + 12);
08955dd3
PH		 625 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
626 spam_score_int = string_copy(big_buffer + 16);
e91ad4a7 627#endif
328c5688
JH		 628#ifndef COMPILE_UTILITY
629 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
630 spool_file_wireformat = TRUE;
631#endif
8c5d388a 632#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
7ade712c
JH		 633 else if (Ustrncmp(p, "mtputf8", 7) == 0)
634 message_smtputf8 = TRUE;
635#endif
08955dd3
PH		 636 break;
637
e91ad4a7 638#ifdef SUPPORT_TLS
08955dd3
PH		 639 case 't':
640 if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
817d9f57 641 tls_in.certificate_verified = TRUE;
08955dd3 642 else if (Ustrncmp(p, "ls_cipher", 9) == 0)
817d9f57 643 tls_in.cipher = string_copy(big_buffer + 12);
e91ad4a7 644# ifndef COMPILE_UTILITY /* tls support fns not built in */
9d1c15ef
JH		 645 else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
646 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
647 else if (Ustrncmp(p, "ls_peercert", 11) == 0)
648 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
e91ad4a7 649# endif
08955dd3 650 else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
817d9f57 651 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
7be682ca 652 else if (Ustrncmp(p, "ls_sni", 6) == 0)
817d9f57 653 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
44662487
JH		 654 else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
655 tls_in.ocsp = big_buffer[10] - '0';
08955dd3 656 break;
e91ad4a7 657#endif
08955dd3 658
8c5d388a 659#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
3c8b3577
JH		 660 case 'u':
661 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
662 message_utf8_downconvert = 1;
0ec7e948 663 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
3c8b3577
JH		 664 message_utf8_downconvert = -1;
665 break;
666#endif
667
08955dd3
PH		 668 default: /* Present because some compilers complain if all */
669 break; /* possibilities are not covered. */
059ec3d9 670 }
059ec3d9
PH		 671 }
672
673/* Build sender_fullhost if required */
674
675#ifndef COMPILE_UTILITY
676host_build_sender_fullhost();
677#endif /* COMPILE_UTILITY */
678
679#ifndef COMPILE_UTILITY
680DEBUG(D_deliver)
681 debug_printf("sender_local=%d ident=%s\n", sender_local,
682 (sender_ident == NULL)? US"unset" : sender_ident);
683#endif /* COMPILE_UTILITY */
684
685/* We now have the tree of addresses NOT to deliver to, or a line
686containing "XX", indicating no tree. */
687
688if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
689 !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
690 goto SPOOL_FORMAT_ERROR;
691
692#ifndef COMPILE_UTILITY
693DEBUG(D_deliver)
694 {
695 debug_printf("Non-recipients:\n");
696 debug_print_tree(tree_nonrecipients);
697 }
698#endif /* COMPILE_UTILITY */
699
700/* After reading the tree, the next line has not yet been read into the
d88f0784
JH		 701buffer. It contains the count of recipients which follow on separate lines.
702Apply an arbitrary sanity check.*/
059ec3d9
PH		 703
704if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
d88f0784
JH		 705if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
706 goto SPOOL_FORMAT_ERROR;
059ec3d9
PH		 707
708#ifndef COMPILE_UTILITY
709DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
710#endif /* COMPILE_UTILITY */
711
712recipients_list_max = rcount;
713recipients_list = store_get(rcount * sizeof(recipient_item));
714
d88f0784
JH		 715/* We sanitised the count and know we have enough memory, so disable
716the Coverity error on recipients_count */
717/* coverity[tainted_data] */
718
059ec3d9
PH		 719for (recipients_count = 0; recipients_count < rcount; recipients_count++)
720 {
721 int nn;
722 int pno = -1;
6c1c3d1d
WB		 723 int dsn_flags = 0;
724 uschar *orcpt = NULL;
059ec3d9
PH		 725 uschar *errors_to = NULL;
726 uschar *p;
727
728 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
729 nn = Ustrlen(big_buffer);
730 if (nn < 2) goto SPOOL_FORMAT_ERROR;
731
732 /* Remove the newline; this terminates the address if there is no additional
733 data on the line. */
734
735 p = big_buffer + nn - 1;
736 *p-- = 0;
737
738 /* Look back from the end of the line for digits and special terminators.
739 Since an address must end with a domain, we can tell that extra data is
740 present by the presence of the terminator, which is always some character
741 that cannot exist in a domain. (If I'd thought of the need for additional
742 data early on, I'd have put it at the start, with the address at the end. As
743 it is, we have to operate backwards. Addresses are permitted to contain
744 spaces, you see.)
745
746 This code has to cope with various versions of this data that have evolved
747 over time. In all cases, the line might just contain an address, with no
748 additional data. Otherwise, the possibilities are as follows:
749
750 Exim 3 type: <address><space><digits>,<digits>,<digits>
751
752 The second set of digits is the parent number for one_time addresses. The
753 other values were remnants of earlier experiments that were abandoned.
754
755 Exim 4 first type: <address><space><digits>
756
757 The digits are the parent number for one_time addresses.
758
759 Exim 4 new type: <address><space><data>#<type bits>
760
761 The type bits indicate what the contents of the data are.
762
763 Bit 01 indicates that, reading from right to left, the data
764 ends with <errors_to address><space><len>,<pno> where pno is
765 the parent number for one_time addresses, and len is the length
766 of the errors_to address (zero meaning none).
6c1c3d1d
WB		 767
768 Bit 02 indicates that, again reading from right to left, the data continues
769 with orcpt len(orcpt),dsn_flags
059ec3d9
PH		 770 */
771
772 while (isdigit(*p)) p--;
773
774 /* Handle Exim 3 spool files */
775
776 if (*p == ',')
777 {
778 int dummy;
779 while (isdigit(*(--p)) || *p == ',');
780 if (*p == ' ')
781 {
782 *p++ = 0;
ff790e47 783 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
059ec3d9
PH		 784 }
785 }
786
787 /* Handle early Exim 4 spool files */
788
789 else if (*p == ' ')
790 {
791 *p++ = 0;
ff790e47 792 (void)sscanf(CS p, "%d", &pno);
059ec3d9
PH		 793 }
794
795 /* Handle current format Exim 4 spool files */
796
797 else if (*p == '#')
798 {
799 int flags;
6c1c3d1d 800
50dc7409 801#if !defined (COMPILE_UTILITY)
e91ad4a7
JH		 802 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
803#endif
6c1c3d1d 804
ff790e47 805 (void)sscanf(CS p+1, "%d", &flags);
059ec3d9
PH		 806
807 if ((flags & 0x01) != 0) /* one_time data exists */
808 {
809 int len;
810 while (isdigit(*(--p)) || *p == ',' || *p == '-');
ff790e47 811 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
059ec3d9
PH		 812 *p = 0;
813 if (len > 0)
814 {
815 p -= len;
816 errors_to = string_copy(p);
94431adb 817 }
6c1c3d1d
WB		 818 }
819
820 *(--p) = 0; /* Terminate address */
6c1c3d1d
WB		 821 if ((flags & 0x02) != 0) /* one_time data exists */
822 {
823 int len;
824 while (isdigit(*(--p)) || *p == ',' || *p == '-');
825 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
826 *p = 0;
827 if (len > 0)
828 {
829 p -= len;
830 orcpt = string_copy(p);
94431adb 831 }
059ec3d9
PH		 832 }
833
834 *(--p) = 0; /* Terminate address */
6c1c3d1d 835 }
50dc7409 836#if !defined(COMPILE_UTILITY)
6c1c3d1d 837 else
e91ad4a7 838 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
6c1c3d1d
WB		 839
840 if ((orcpt != NULL) || (dsn_flags != 0))
841 {
842 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
843 big_buffer, orcpt, dsn_flags);
844 }
845 if (errors_to != NULL)
846 {
847 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
848 big_buffer, errors_to);
059ec3d9 849 }
50dc7409 850#endif
059ec3d9
PH		 851
852 recipients_list[recipients_count].address = string_copy(big_buffer);
853 recipients_list[recipients_count].pno = pno;
854 recipients_list[recipients_count].errors_to = errors_to;
6c1c3d1d
WB		 855 recipients_list[recipients_count].orcpt = orcpt;
856 recipients_list[recipients_count].dsn_flags = dsn_flags;
059ec3d9
PH		 857 }
858
859/* The remainder of the spool header file contains the headers for the message,
860separated off from the previous data by a blank line. Each header is preceded
861by a count of its length and either a certain letter (for various identified
862headers), space (for a miscellaneous live header) or an asterisk (for a header
863that has been rewritten). Count the Received: headers. We read the headers
864always, in order to check on the format of the file, but only create a header
865list if requested to do so. */
866
867inheader = TRUE;
868if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
869if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
870
871while ((n = fgetc(f)) != EOF)
872 {
873 header_line *h;
874 uschar flag[4];
875 int i;
876
877 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
1ac6b2e7
JH		 878 if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
879 goto SPOOL_READ_ERROR;
059ec3d9
PH		 880 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
881
882 if (read_headers)
883 {
884 h = store_get(sizeof(header_line));
885 h->next = NULL;
886 h->type = flag[0];
887 h->slen = n;
888 h->text = store_get(n+1);
889
890 if (h->type == htype_received) received_count++;
891
892 if (header_list == NULL) header_list = h;
893 else header_last->next = h;
894 header_last = h;
895
896 for (i = 0; i < n; i++)
897 {
898 int c = fgetc(f);
899 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
900 if (c == '\n' && h->type != htype_old) message_linecount++;
901 h->text[i] = c;
902 }
903 h->text[i] = 0;
904 }
905
906 /* Not requiring header data, just skip through the bytes */
907
908 else for (i = 0; i < n; i++)
909 {
910 int c = fgetc(f);
911 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
912 }
913 }
914
915/* We have successfully read the data in the header file. Update the message
916line count by adding the body linecount to the header linecount. Close the file
917and give a positive response. */
918
919#ifndef COMPILE_UTILITY
920DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
921 body_linecount, message_linecount);
922#endif /* COMPILE_UTILITY */
923
924message_linecount += body_linecount;
925
926fclose(f);
927return spool_read_OK;
928
929
930/* There was an error reading the spool or there was missing data,
931or there was a format error. A "read error" with no errno means an
932unexpected EOF, which we treat as a format error. */
933
934SPOOL_READ_ERROR:
935if (errno != 0)
936 {
937 n = errno;
938
e91ad4a7 939#ifndef COMPILE_UTILITY
059ec3d9 940 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
e91ad4a7 941#endif /* COMPILE_UTILITY */
059ec3d9
PH		 942
943 fclose(f);
944 errno = n;
945 return inheader? spool_read_hdrerror : spool_read_enverror;
946 }
947
948SPOOL_FORMAT_ERROR:
949
950#ifndef COMPILE_UTILITY
951DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
952#endif /* COMPILE_UTILITY */
953
954fclose(f);
955errno = ERRNO_SPOOLFORMAT;
956return inheader? spool_read_hdrerror : spool_read_enverror;
957}
958
9d1c15ef
JH		 959/* vi: aw ai sw=2
960*/
059ec3d9 961/* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.