projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Use C99 initialisations for iterators
[exim.git] / src / src / rda.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module contains code for extracting addresses from a forwarding list
9(from an alias or forward file) or by running the filter interpreter. It may do
10this in a sub-process if a uid/gid are supplied. */
11
12
13#include "exim.h"
14
15enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
16
17#define REPLY_EXISTS 0x01
18#define REPLY_EXPAND 0x02
19#define REPLY_RETURN 0x04
20
21
22/*************************************************
23* Check string for filter program *
24*************************************************/
25
26/* This function checks whether a string is actually a filter program. The rule
27is that it must start with "# Exim filter ..." (any capitalization, spaces
28optional). It is envisaged that in future, other kinds of filter may be
29implemented. That's why it is implemented the way it is. The function is global
30because it is also called from filter.c when checking filters.
31
32Argument: the string
33
34Returns: FILTER_EXIM if it starts with "# Exim filter"
35 FILTER_SIEVE if it starts with "# Sieve filter"
36 FILTER_FORWARD otherwise
37*/
38
39/* This is an auxiliary function for matching a tag. */
40
41static BOOL
42match_tag(const uschar *s, const uschar *tag)
43{
44for (; *tag != 0; s++, tag++)
45 if (*tag == ' ')
46 {
47 while (*s == ' ' || *s == '\t') s++;
48 s--;
49 }
50 else
51 if (tolower(*s) != tolower(*tag)) break;
52
53return (*tag == 0);
54}
55
56/* This is the real function. It should be easy to add checking different
57tags for other types of filter. */
58
59int
60rda_is_filter(const uschar *s)
61{
62while (isspace(*s)) s++; /* Skips initial blank lines */
63if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
64 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
65 else return FILTER_FORWARD;
66}
67
68
69
70
71/*************************************************
72* Check for existence of file *
73*************************************************/
74
75/* First of all, we stat the file. If this fails, we try to stat the enclosing
76directory, because a file in an unmounted NFS directory will look the same as a
77non-existent file. It seems that in Solaris 2.6, statting an entry in an
78indirect map that is currently unmounted does not cause the mount to happen.
79Instead, dummy data is returned, which defeats the whole point of this test.
80However, if a stat() is done on some object inside the directory, such as the
81"." back reference to itself, then the mount does occur. If an NFS host is
82taken offline, it is possible for the stat() to get stuck until it comes back.
83To guard against this, stick a timer round it. If we can't access the "."
84inside the directory, try the plain directory, just in case that helps.
85
86Argument:
87 filename the file name
88 error for message on error
89
90Returns: FILE_EXIST the file exists
91 FILE_NOT_EXIST the file does not exist
92 FILE_EXIST_UNCLEAR cannot determine existence
93*/
94
95static int
96rda_exists(uschar *filename, uschar **error)
97{
98int rc, saved_errno;
99uschar *slash;
100struct stat statbuf;
101
102if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
103saved_errno = errno;
104
105Ustrncpy(big_buffer, filename, big_buffer_size - 3);
106sigalrm_seen = FALSE;
107
108if (saved_errno == ENOENT)
109 {
110 slash = Ustrrchr(big_buffer, '/');
111 Ustrcpy(slash+1, ".");
112
113 ALARM(30);
114 rc = Ustat(big_buffer, &statbuf);
115 if (rc != 0 && errno == EACCES && !sigalrm_seen)
116 {
117 *slash = 0;
118 rc = Ustat(big_buffer, &statbuf);
119 }
120 saved_errno = errno;
121 ALARM_CLR(0);
122
123 DEBUG(D_route) debug_printf("stat(%s)=%d\n", big_buffer, rc);
124 }
125
126if (sigalrm_seen || rc != 0)
127 {
128 *error = string_sprintf("failed to stat %s (%s)", big_buffer,
129 sigalrm_seen? "timeout" : strerror(saved_errno));
130 return FILE_EXIST_UNCLEAR;
131 }
132
133*error = string_sprintf("%s does not exist", filename);
134DEBUG(D_route) debug_printf("%s\n", *error);
135return FILE_NOT_EXIST;
136}
137
138
139
140/*************************************************
141* Get forwarding list from a file *
142*************************************************/
143
144/* Open a file and read its entire contents into a block of memory. Certain
145opening errors are optionally treated the same as "file does not exist".
146
147ENOTDIR means that something along the line is not a directory: there are
148installations that set home directories to be /dev/null for non-login accounts
149but in normal circumstances this indicates some kind of configuration error.
150
151EACCES means there's a permissions failure. Some users turn off read permission
152on a .forward file to suspend forwarding, but this is probably an error in any
153kind of mailing list processing.
154
155The redirect block that contains the file name also contains constraints such
156as who may own the file, and mode bits that must not be set. This function is
157
158Arguments:
159 rdata rdirect block, containing file name and constraints
160 options for the RDO_ENOTDIR and RDO_EACCES options
161 error where to put an error message
162 yield what to return from rda_interpret on error
163
164Returns: pointer to string in store; NULL on error
165*/
166
167static uschar *
168rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
169 int *yield)
170{
171FILE *fwd;
172uschar *filebuf;
173uschar *filename = rdata->string;
174BOOL uid_ok = !rdata->check_owner;
175BOOL gid_ok = !rdata->check_group;
176struct stat statbuf;
177
178/* Attempt to open the file. If it appears not to exist, check up on the
179containing directory by statting it. If the directory does not exist, we treat
180this situation as an error (which will cause delivery to defer); otherwise we
181pass back FF_NONEXIST, which causes the redirect router to decline.
182
183However, if the ignore_enotdir option is set (to ignore "something on the
184path is not a directory" errors), the right behaviour seems to be not to do the
185directory test. */
186
187fwd = Ufopen(filename, "rb");
188if (fwd == NULL)
189 {
190 switch(errno)
191 {
192 case ENOENT: /* File does not exist */
193 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
194 filename,
195 ((options & RDO_ENOTDIR) != 0)? "ignore_enotdir set => skip " : "");
196 *yield = (((options & RDO_ENOTDIR) != 0) ||
197 rda_exists(filename, error) == FILE_NOT_EXIST)?
198 FF_NONEXIST : FF_ERROR;
199 return NULL;
200
201 case ENOTDIR: /* Something on the path isn't a directory */
202 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
203 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
204 "exist\n", filename);
205 *yield = FF_NONEXIST;
206 return NULL;
207
208 case EACCES: /* Permission denied */
209 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
210 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
211 "exist\n", filename);
212 *yield = FF_NONEXIST;
213 return NULL;
214
215 DEFAULT_ERROR:
216 default:
217 *error = string_open_failed(errno, "%s", filename);
218 *yield = FF_ERROR;
219 return NULL;
220 }
221 }
222
223/* Check that we have a regular file. */
224
225if (fstat(fileno(fwd), &statbuf) != 0)
226 {
227 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
228 goto ERROR_RETURN;
229 }
230
231if ((statbuf.st_mode & S_IFMT) != S_IFREG)
232 {
233 *error = string_sprintf("%s is not a regular file", filename);
234 goto ERROR_RETURN;
235 }
236
237/* Check for unwanted mode bits */
238
239if ((statbuf.st_mode & rdata->modemask) != 0)
240 {
241 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
242 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
243 goto ERROR_RETURN;
244 }
245
246/* Check the file owner and file group if required to do so. */
247
248if (!uid_ok)
249 {
250 if (rdata->pw != NULL && statbuf.st_uid == rdata->pw->pw_uid)
251 uid_ok = TRUE;
252 else if (rdata->owners != NULL)
253 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
254 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
255 }
256
257if (!gid_ok)
258 {
259 if (rdata->pw != NULL && statbuf.st_gid == rdata->pw->pw_gid)
260 gid_ok = TRUE;
261 else if (rdata->owngroups != NULL)
262 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
263 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
264 }
265
266if (!uid_ok || !gid_ok)
267 {
268 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
269 goto ERROR_RETURN;
270 }
271
272/* Put an upper limit on the size of the file, just to stop silly people
273feeding in ridiculously large files, which can easily be created by making
274files that have holes in them. */
275
276if (statbuf.st_size > MAX_FILTER_SIZE)
277 {
278 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
279 goto ERROR_RETURN;
280 }
281
282/* Read the file in one go in order to minimize the time we have it open. */
283
284filebuf = store_get(statbuf.st_size + 1);
285
286if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
287 {
288 *error = string_sprintf("error while reading %s: %s",
289 filename, strerror(errno));
290 goto ERROR_RETURN;
291 }
292filebuf[statbuf.st_size] = 0;
293
294DEBUG(D_route)
295 debug_printf(OFF_T_FMT " bytes read from %s\n", statbuf.st_size, filename);
296
297(void)fclose(fwd);
298return filebuf;
299
300/* Return an error: the string is already set up. */
301
302ERROR_RETURN:
303*yield = FF_ERROR;
304(void)fclose(fwd);
305return NULL;
306}
307
308
309
310/*************************************************
311* Extract info from list or filter *
312*************************************************/
313
314/* This function calls the appropriate function to extract addresses from a
315forwarding list, or to run a filter file and get addresses from there.
316
317Arguments:
318 rdata the redirection block
319 options the options bits
320 include_directory restrain to this directory
321 sieve_vacation_directory passed to sieve_interpret
322 sieve_enotify_mailto_owner passed to sieve_interpret
323 sieve_useraddress passed to sieve_interpret
324 sieve_subaddress passed to sieve_interpret
325 generated where to hang generated addresses
326 error for error messages
327 eblockp for details of skipped syntax errors
328 (NULL => no skip)
329 filtertype set to the filter type:
330 FILTER_FORWARD => a traditional .forward file
331 FILTER_EXIM => an Exim filter file
332 FILTER_SIEVE => a Sieve filter file
333 a system filter is always forced to be FILTER_EXIM
334
335Returns: a suitable return for rda_interpret()
336*/
337
338static int
339rda_extract(redirect_block *rdata, int options, uschar *include_directory,
340 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
341 uschar *sieve_useraddress, uschar *sieve_subaddress,
342 address_item **generated, uschar **error, error_block **eblockp,
343 int *filtertype)
344{
345uschar *data;
346
347if (rdata->isfile)
348 {
349 int yield = 0;
350 data = rda_get_file_contents(rdata, options, error, &yield);
351 if (data == NULL) return yield;
352 }
353else data = rdata->string;
354
355*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
356
357/* Filter interpretation is done by a general function that is also called from
358the filter testing option (-bf). There are two versions: one for Exim filtering
359and one for Sieve filtering. Several features of string expansion may be locked
360out at sites that don't trust users. This is done by setting flags in
361expand_forbid that the expander inspects. */
362
363if (*filtertype != FILTER_FORWARD)
364 {
365 int frc;
366 int old_expand_forbid = expand_forbid;
367
368 DEBUG(D_route) debug_printf("data is %s filter program\n",
369 (*filtertype == FILTER_EXIM)? "an Exim" : "a Sieve");
370
371 /* RDO_FILTER is an "allow" bit */
372
373 if ((options & RDO_FILTER) == 0)
374 {
375 *error = US"filtering not enabled";
376 return FF_ERROR;
377 }
378
379 expand_forbid =
380 (expand_forbid & ~RDO_FILTER_EXPANSIONS) |
381 (options & RDO_FILTER_EXPANSIONS);
382
383 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
384
385 if (*filtertype == FILTER_EXIM)
386 {
387 if ((options & RDO_EXIM_FILTER) != 0)
388 {
389 *error = US"Exim filtering not enabled";
390 return FF_ERROR;
391 }
392 frc = filter_interpret(data, options, generated, error);
393 }
394 else
395 {
396 if ((options & RDO_SIEVE_FILTER) != 0)
397 {
398 *error = US"Sieve filtering not enabled";
399 return FF_ERROR;
400 }
401 frc = sieve_interpret(data, options, sieve_vacation_directory,
402 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
403 generated, error);
404 }
405
406 expand_forbid = old_expand_forbid;
407 return frc;
408 }
409
410/* Not a filter script */
411
412DEBUG(D_route) debug_printf("file is not a filter file\n");
413
414return parse_forward_list(data,
415 options, /* specials that are allowed */
416 generated, /* where to hang them */
417 error, /* for errors */
418 deliver_domain, /* to qualify \name */
419 include_directory, /* restrain to directory */
420 eblockp); /* for skipped syntax errors */
421}
422
423
424
425
426/*************************************************
427* Write string down pipe *
428*************************************************/
429
430/* This function is used for transferring a string down a pipe between
431processes. If the pointer is NULL, a length of zero is written.
432
433Arguments:
434 fd the pipe
435 s the string
436
437Returns: -1 on error, else 0
438*/
439
440static int
441rda_write_string(int fd, const uschar *s)
442{
443int len = (s == NULL)? 0 : Ustrlen(s) + 1;
444return ( write(fd, &len, sizeof(int)) != sizeof(int)
445 || (s != NULL && write(fd, s, len) != len)
446 )
447 ? -1 : 0;
448}
449
450
451
452/*************************************************
453* Read string from pipe *
454*************************************************/
455
456/* This function is used for receiving a string from a pipe.
457
458Arguments:
459 fd the pipe
460 sp where to put the string
461
462Returns: FALSE if data missing
463*/
464
465static BOOL
466rda_read_string(int fd, uschar **sp)
467{
468int len;
469
470if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
471if (len == 0)
472 *sp = NULL;
473else
474 /* We know we have enough memory so disable the error on "len" */
475 /* coverity[tainted_data] */
476 if (read(fd, *sp = store_get(len), len) != len) return FALSE;
477return TRUE;
478}
479
480
481
482/*************************************************
483* Interpret forward list or filter *
484*************************************************/
485
486/* This function is passed a forward list string (unexpanded) or the name of a
487file (unexpanded) whose contents are the forwarding list. The list may in fact
488be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
489types of filter, with different inital tag strings, may be introduced in due
490course.
491
492The job of the function is to process the forwarding list or filter. It is
493pulled out into this separate function, because it is used for system filter
494files as well as from the redirect router.
495
496If the function is given a uid/gid, it runs a subprocess that passes the
497results back via a pipe. This provides security for things like :include:s in
498users' .forward files, and "logwrite" calls in users' filter files. A
499sub-process is NOT used when:
500
501 . No uid/gid is provided
502 . The input is a string which is not a filter string, and does not contain
503 :include:
504 . The input is a file whose non-existence can be detected in the main
505 process (which is usually running as root).
506
507Arguments:
508 rdata redirect data (file + constraints, or data string)
509 options options to pass to the extraction functions,
510 plus ENOTDIR and EACCES handling bits
511 include_directory restrain :include: to this directory
512 sieve_vacation_directory directory passed to sieve_interpret
513 sieve_enotify_mailto_owner passed to sieve_interpret
514 sieve_useraddress passed to sieve_interpret
515 sieve_subaddress passed to sieve_interpret
516 ugid uid/gid to run under - if NULL, no change
517 generated where to hang generated addresses, initially NULL
518 error pointer for error message
519 eblockp for skipped syntax errors; NULL if no skipping
520 filtertype set to the type of file:
521 FILTER_FORWARD => traditional .forward file
522 FILTER_EXIM => an Exim filter file
523 FILTER_SIEVE => a Sieve filter file
524 a system filter is always forced to be FILTER_EXIM
525 rname router name for error messages in the format
526 "xxx router" or "system filter"
527
528Returns: values from extraction function, or FF_NONEXIST:
529 FF_DELIVERED success, a significant action was taken
530 FF_NOTDELIVERED success, no significant action
531 FF_BLACKHOLE :blackhole:
532 FF_DEFER defer requested
533 FF_FAIL fail requested
534 FF_INCLUDEFAIL some problem with :include:
535 FF_FREEZE freeze requested
536 FF_ERROR there was a problem
537 FF_NONEXIST the file does not exist
538*/
539
540int
541rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
542 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
543 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
544 address_item **generated, uschar **error, error_block **eblockp,
545 int *filtertype, uschar *rname)
546{
547int fd, rc, pfd[2];
548int yield, status;
549BOOL had_disaster = FALSE;
550pid_t pid;
551uschar *data;
552uschar *readerror = US"";
553void (*oldsignal)(int);
554
555DEBUG(D_route) debug_printf("rda_interpret (%s): %s\n",
556 (rdata->isfile)? "file" : "string", rdata->string);
557
558/* Do the expansions of the file name or data first, while still privileged. */
559
560data = expand_string(rdata->string);
561if (data == NULL)
562 {
563 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
564 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
565 expand_string_message);
566 return FF_ERROR;
567 }
568rdata->string = data;
569
570DEBUG(D_route) debug_printf("expanded: %s\n", data);
571
572if (rdata->isfile && data[0] != '/')
573 {
574 *error = string_sprintf("\"%s\" is not an absolute path", data);
575 return FF_ERROR;
576 }
577
578/* If no uid/gid are supplied, or if we have a data string which does not start
579with #Exim filter or #Sieve filter, and does not contain :include:, do all the
580work in this process. Note that for a system filter, we always have a file, so
581the work is done in this process only if no user is supplied. */
582
583if (!ugid->uid_set || /* Either there's no uid, or */
584 (!rdata->isfile && /* We've got the data, and */
585 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
586 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
587 {
588 return rda_extract(rdata, options, include_directory,
589 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
590 sieve_subaddress, generated, error, eblockp, filtertype);
591 }
592
593/* We need to run the processing code in a sub-process. However, if we can
594determine the non-existence of a file first, we can decline without having to
595create the sub-process. */
596
597if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
598 return FF_NONEXIST;
599
600/* If the file does exist, or we can't tell (non-root mounted NFS directory)
601we have to create the subprocess to do everything as the given user. The
602results of processing are passed back via a pipe. */
603
604if (pipe(pfd) != 0)
605 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
606 ":include: failed for %s: %s", rname, strerror(errno));
607
608/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
609process can be waited for. We sometimes get here with it set otherwise. Save
610the old state for resetting on the wait. Ensure that all cached resources are
611freed so that the subprocess starts with a clean slate and doesn't interfere
612with the parent process. */
613
614oldsignal = signal(SIGCHLD, SIG_DFL);
615search_tidyup();
616
617if ((pid = fork()) == 0)
618 {
619 header_line *waslast = header_last; /* Save last header */
620
621 fd = pfd[pipe_write];
622 (void)close(pfd[pipe_read]);
623 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
624
625 /* Addresses can get rewritten in filters; if we are not root or the exim
626 user (and we probably are not), turn off rewrite logging, because we cannot
627 write to the log now. */
628
629 if (ugid->uid != root_uid && ugid->uid != exim_uid)
630 {
631 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
632 "root or exim in this process)\n");
633 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
634 }
635
636 /* Now do the business */
637
638 yield = rda_extract(rdata, options, include_directory,
639 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
640 sieve_subaddress, generated, error, eblockp, filtertype);
641
642 /* Pass back whether it was a filter, and the return code and any overall
643 error text via the pipe. */
644
645 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
646 || write(fd, &yield, sizeof(int)) != sizeof(int)
647 || rda_write_string(fd, *error) != 0
648 )
649 goto bad;
650
651 /* Pass back the contents of any syntax error blocks if we have a pointer */
652
653 if (eblockp)
654 {
655 for (error_block * ep = *eblockp; ep; ep = ep->next)
656 if ( rda_write_string(fd, ep->text1) != 0
657 || rda_write_string(fd, ep->text2) != 0
658 )
659 goto bad;
660 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
661 goto bad;
662 }
663
664 /* If this is a system filter, we have to pass back the numbers of any
665 original header lines that were removed, and then any header lines that were
666 added but not subsequently removed. */
667
668 if (f.system_filtering)
669 {
670 int i = 0;
671 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
672 if ( h->type == htype_old
673 && write(fd, &i, sizeof(i)) != sizeof(i)
674 )
675 goto bad;
676
677 i = -1;
678 if (write(fd, &i, sizeof(i)) != sizeof(i))
679 goto bad;
680
681 while (waslast != header_last)
682 {
683 waslast = waslast->next;
684 if (waslast->type != htype_old)
685 if ( rda_write_string(fd, waslast->text) != 0
686 || write(fd, &(waslast->type), sizeof(waslast->type))
687 != sizeof(waslast->type)
688 )
689 goto bad;
690 }
691 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
692 goto bad;
693 }
694
695 /* Write the contents of the $n variables */
696
697 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
698 goto bad;
699
700 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
701 addresses, and their associated information, through the pipe. This is
702 just tedious, but it seems to be the only safe way. We do this also for
703 FAIL and FREEZE, because a filter is allowed to set up deliveries that
704 are honoured before freezing or failing. */
705
706 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
707 yield == FF_FAIL || yield == FF_FREEZE)
708 {
709 for (address_item * addr = *generated; addr; addr = addr->next)
710 {
711 int reply_options = 0;
712 int ig_err = addr->prop.ignore_error ? 1 : 0;
713
714 if ( rda_write_string(fd, addr->address) != 0
715 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
716 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
717 || rda_write_string(fd, addr->prop.errors_address) != 0
718 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
719 )
720 goto bad;
721
722 if (addr->pipe_expandn)
723 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
724 if (rda_write_string(fd, *pp) != 0)
725 goto bad;
726 if (rda_write_string(fd, NULL) != 0)
727 goto bad;
728
729 if (!addr->reply)
730 {
731 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
732 goto bad;
733 }
734 else
735 {
736 reply_options |= REPLY_EXISTS;
737 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
738 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
739 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
740 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
741 != sizeof(int)
742 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
743 != sizeof(time_t)
744 || rda_write_string(fd, addr->reply->to) != 0
745 || rda_write_string(fd, addr->reply->cc) != 0
746 || rda_write_string(fd, addr->reply->bcc) != 0
747 || rda_write_string(fd, addr->reply->from) != 0
748 || rda_write_string(fd, addr->reply->reply_to) != 0
749 || rda_write_string(fd, addr->reply->subject) != 0
750 || rda_write_string(fd, addr->reply->headers) != 0
751 || rda_write_string(fd, addr->reply->text) != 0
752 || rda_write_string(fd, addr->reply->file) != 0
753 || rda_write_string(fd, addr->reply->logfile) != 0
754 || rda_write_string(fd, addr->reply->oncelog) != 0
755 )
756 goto bad;
757 }
758 }
759
760 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
761 goto bad;
762 }
763
764 /* OK, this process is now done. Free any cached resources. Must use _exit()
765 and not exit() !! */
766
767out:
768 (void)close(fd);
769 search_tidyup();
770 _exit(0);
771
772bad:
773 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
774 goto out;
775 }
776
777/* Back in the main process: panic if the fork did not succeed. */
778
779if (pid < 0)
780 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
781
782/* Read the pipe to get the data from the filter/forward. Our copy of the
783writing end must be closed first, as otherwise read() won't return zero on an
784empty pipe. Afterwards, close the reading end. */
785
786(void)close(pfd[pipe_write]);
787
788/* Read initial data, including yield and contents of *error */
789
790fd = pfd[pipe_read];
791if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
792 read(fd, &yield, sizeof(int)) != sizeof(int) ||
793 !rda_read_string(fd, error)) goto DISASTER;
794
795/* Read the contents of any syntax error blocks if we have a pointer */
796
797if (eblockp)
798 {
799 error_block *e;
800 for (error_block ** p = eblockp; ; p = &e->next)
801 {
802 uschar *s;
803 if (!rda_read_string(fd, &s)) goto DISASTER;
804 if (!s) break;
805 e = store_get(sizeof(error_block));
806 e->next = NULL;
807 e->text1 = s;
808 if (!rda_read_string(fd, &s)) goto DISASTER;
809 e->text2 = s;
810 *p = e;
811 }
812 }
813
814/* If this is a system filter, read the identify of any original header lines
815that were removed, and then read data for any new ones that were added. */
816
817if (f.system_filtering)
818 {
819 int hn = 0;
820 header_line *h = header_list;
821
822 for (;;)
823 {
824 int n;
825 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
826 if (n < 0) break;
827 while (hn < n)
828 {
829 hn++;
830 if (!(h = h->next)) goto DISASTER_NO_HEADER;
831 }
832 h->type = htype_old;
833 }
834
835 for (;;)
836 {
837 uschar *s;
838 int type;
839 if (!rda_read_string(fd, &s)) goto DISASTER;
840 if (!s) break;
841 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
842 header_add(type, "%s", s);
843 }
844 }
845
846/* Read the values of the $n variables */
847
848if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
849
850/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
851addresses and data to go with them. Keep them in the same order in the
852generated chain. */
853
854if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
855 yield == FF_FAIL || yield == FF_FREEZE)
856 {
857 address_item **nextp = generated;
858
859 for (;;)
860 {
861 int i, reply_options;
862 address_item *addr;
863 uschar *recipient;
864 uschar *expandn[EXPAND_MAXN + 2];
865
866 /* First string is the address; NULL => end of addresses */
867
868 if (!rda_read_string(fd, &recipient)) goto DISASTER;
869 if (recipient == NULL) break;
870
871 /* Hang on the end of the chain */
872
873 addr = deliver_make_addr(recipient, FALSE);
874 *nextp = addr;
875 nextp = &(addr->next);
876
877 /* Next comes the mode and the flags fields */
878
879 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
880 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
881 || !rda_read_string(fd, &addr->prop.errors_address)
882 || read(fd, &i, sizeof(i)) != sizeof(i)
883 )
884 goto DISASTER;
885 addr->prop.ignore_error = (i != 0);
886
887 /* Next comes a possible setting for $thisaddress and any numerical
888 variables for pipe expansion, terminated by a NULL string. The maximum
889 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
890 into the zeroth item in the vector - this is sorted out inside the pipe
891 transport. */
892
893 for (i = 0; i < EXPAND_MAXN + 1; i++)
894 {
895 uschar *temp;
896 if (!rda_read_string(fd, &temp)) goto DISASTER;
897 if (i == 0) filter_thisaddress = temp; /* Just in case */
898 expandn[i] = temp;
899 if (temp == NULL) break;
900 }
901
902 if (i > 0)
903 {
904 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *));
905 addr->pipe_expandn[i] = NULL;
906 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
907 }
908
909 /* Then an int containing reply options; zero => no reply data. */
910
911 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
912 if ((reply_options & REPLY_EXISTS) != 0)
913 {
914 addr->reply = store_get(sizeof(reply_item));
915
916 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
917 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
918
919 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
920 sizeof(int) ||
921 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
922 sizeof(time_t) ||
923 !rda_read_string(fd, &(addr->reply->to)) ||
924 !rda_read_string(fd, &(addr->reply->cc)) ||
925 !rda_read_string(fd, &(addr->reply->bcc)) ||
926 !rda_read_string(fd, &(addr->reply->from)) ||
927 !rda_read_string(fd, &(addr->reply->reply_to)) ||
928 !rda_read_string(fd, &(addr->reply->subject)) ||
929 !rda_read_string(fd, &(addr->reply->headers)) ||
930 !rda_read_string(fd, &(addr->reply->text)) ||
931 !rda_read_string(fd, &(addr->reply->file)) ||
932 !rda_read_string(fd, &(addr->reply->logfile)) ||
933 !rda_read_string(fd, &(addr->reply->oncelog)))
934 goto DISASTER;
935 }
936 }
937 }
938
939/* All data has been transferred from the sub-process. Reap it, close the
940reading end of the pipe, and we are done. */
941
942WAIT_EXIT:
943while ((rc = wait(&status)) != pid)
944 {
945 if (rc < 0 && errno == ECHILD) /* Process has vanished */
946 {
947 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
948 goto FINAL_EXIT;
949 }
950 }
951
952DEBUG(D_route)
953 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
954
955if (had_disaster)
956 {
957 *error = string_sprintf("internal problem in %s: failure to transfer "
958 "data from subprocess: status=%04x%s%s%s", rname,
959 status, readerror,
960 (*error == NULL)? US"" : US": error=",
961 (*error == NULL)? US"" : *error);
962 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
963 }
964else if (status != 0)
965 {
966 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
967 "%04x from redirect subprocess (but data correctly received)", rname,
968 status);
969 }
970
971FINAL_EXIT:
972(void)close(fd);
973signal(SIGCHLD, oldsignal); /* restore */
974return yield;
975
976
977/* Come here if the data indicates removal of a header that we can't find */
978
979DISASTER_NO_HEADER:
980readerror = US" readerror=bad header identifier";
981had_disaster = TRUE;
982yield = FF_ERROR;
983goto WAIT_EXIT;
984
985/* Come here is there's a shambles in transferring the data over the pipe. The
986value of errno should still be set. */
987
988DISASTER:
989readerror = string_sprintf(" readerror='%s'", strerror(errno));
990had_disaster = TRUE;
991yield = FF_ERROR;
992goto WAIT_EXIT;
993}
994
995/* End of rda.c */
Unnamed repository; edit this file 'description' to name the repository.