projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
debian experimental exim-daemon-heavy config
[exim.git] / src / src / rda.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* Copyright (c) The Exim maintainers 2020 */
7/* See the file NOTICE for conditions of use and distribution. */
8
9/* This module contains code for extracting addresses from a forwarding list
10(from an alias or forward file) or by running the filter interpreter. It may do
11this in a sub-process if a uid/gid are supplied. */
12
13
14#include "exim.h"
15
16enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
17
18#define REPLY_EXISTS 0x01
19#define REPLY_EXPAND 0x02
20#define REPLY_RETURN 0x04
21
22
23/*************************************************
24* Check string for filter program *
25*************************************************/
26
27/* This function checks whether a string is actually a filter program. The rule
28is that it must start with "# Exim filter ..." (any capitalization, spaces
29optional). It is envisaged that in future, other kinds of filter may be
30implemented. That's why it is implemented the way it is. The function is global
31because it is also called from filter.c when checking filters.
32
33Argument: the string
34
35Returns: FILTER_EXIM if it starts with "# Exim filter"
36 FILTER_SIEVE if it starts with "# Sieve filter"
37 FILTER_FORWARD otherwise
38*/
39
40/* This is an auxiliary function for matching a tag. */
41
42static BOOL
43match_tag(const uschar *s, const uschar *tag)
44{
45for (; *tag; s++, tag++)
46 if (*tag == ' ')
47 {
48 while (*s == ' ' || *s == '\t') s++;
49 s--;
50 }
51 else
52 if (tolower(*s) != tolower(*tag)) break;
53
54return (*tag == 0);
55}
56
57/* This is the real function. It should be easy to add checking different
58tags for other types of filter. */
59
60int
61rda_is_filter(const uschar *s)
62{
63Uskip_whitespace(&s); /* Skips initial blank lines */
64if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
65else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
66else return FILTER_FORWARD;
67}
68
69
70
71
72/*************************************************
73* Check for existence of file *
74*************************************************/
75
76/* First of all, we stat the file. If this fails, we try to stat the enclosing
77directory, because a file in an unmounted NFS directory will look the same as a
78non-existent file. It seems that in Solaris 2.6, statting an entry in an
79indirect map that is currently unmounted does not cause the mount to happen.
80Instead, dummy data is returned, which defeats the whole point of this test.
81However, if a stat() is done on some object inside the directory, such as the
82"." back reference to itself, then the mount does occur. If an NFS host is
83taken offline, it is possible for the stat() to get stuck until it comes back.
84To guard against this, stick a timer round it. If we can't access the "."
85inside the directory, try the plain directory, just in case that helps.
86
87Argument:
88 filename the file name
89 error for message on error
90
91Returns: FILE_EXIST the file exists
92 FILE_NOT_EXIST the file does not exist
93 FILE_EXIST_UNCLEAR cannot determine existence
94*/
95
96static int
97rda_exists(uschar *filename, uschar **error)
98{
99int rc, saved_errno;
100struct stat statbuf;
101uschar * s;
102
103if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
104saved_errno = errno;
105
106s = string_copy(filename);
107sigalrm_seen = FALSE;
108
109if (saved_errno == ENOENT)
110 {
111 uschar * slash = Ustrrchr(s, '/');
112 Ustrcpy(slash+1, US".");
113
114 ALARM(30);
115 rc = Ustat(s, &statbuf);
116 if (rc != 0 && errno == EACCES && !sigalrm_seen)
117 {
118 *slash = 0;
119 rc = Ustat(s, &statbuf);
120 }
121 saved_errno = errno;
122 ALARM_CLR(0);
123
124 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
125 }
126
127if (sigalrm_seen || rc != 0)
128 {
129 *error = string_sprintf("failed to stat %s (%s)", s,
130 sigalrm_seen? "timeout" : strerror(saved_errno));
131 return FILE_EXIST_UNCLEAR;
132 }
133
134*error = string_sprintf("%s does not exist", filename);
135DEBUG(D_route) debug_printf("%s\n", *error);
136return FILE_NOT_EXIST;
137}
138
139
140
141/*************************************************
142* Get forwarding list from a file *
143*************************************************/
144
145/* Open a file and read its entire contents into a block of memory. Certain
146opening errors are optionally treated the same as "file does not exist".
147
148ENOTDIR means that something along the line is not a directory: there are
149installations that set home directories to be /dev/null for non-login accounts
150but in normal circumstances this indicates some kind of configuration error.
151
152EACCES means there's a permissions failure. Some users turn off read permission
153on a .forward file to suspend forwarding, but this is probably an error in any
154kind of mailing list processing.
155
156The redirect block that contains the file name also contains constraints such
157as who may own the file, and mode bits that must not be set. This function is
158
159Arguments:
160 rdata rdirect block, containing file name and constraints
161 options for the RDO_ENOTDIR and RDO_EACCES options
162 error where to put an error message
163 yield what to return from rda_interpret on error
164
165Returns: pointer to string in store; NULL on error
166*/
167
168static uschar *
169rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
170 int *yield)
171{
172FILE *fwd;
173uschar *filebuf;
174uschar *filename = rdata->string;
175BOOL uid_ok = !rdata->check_owner;
176BOOL gid_ok = !rdata->check_group;
177struct stat statbuf;
178
179/* Reading a file is a form of expansion; we wish to deny attackers the
180capability to specify the file name. */
181
182if (is_tainted(filename))
183 {
184 *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
185 filename);
186 *yield = FF_ERROR;
187 return NULL;
188 }
189
190/* Attempt to open the file. If it appears not to exist, check up on the
191containing directory by statting it. If the directory does not exist, we treat
192this situation as an error (which will cause delivery to defer); otherwise we
193pass back FF_NONEXIST, which causes the redirect router to decline.
194
195However, if the ignore_enotdir option is set (to ignore "something on the
196path is not a directory" errors), the right behaviour seems to be not to do the
197directory test. */
198
199if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
200 {
201 case ENOENT: /* File does not exist */
202 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
203 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
204 *yield =
205 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
206 ? FF_NONEXIST : FF_ERROR;
207 return NULL;
208
209 case ENOTDIR: /* Something on the path isn't a directory */
210 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
211 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
212 "exist\n", filename);
213 *yield = FF_NONEXIST;
214 return NULL;
215
216 case EACCES: /* Permission denied */
217 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
218 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
219 "exist\n", filename);
220 *yield = FF_NONEXIST;
221 return NULL;
222
223DEFAULT_ERROR:
224 default:
225 *error = string_open_failed(errno, "%s", filename);
226 *yield = FF_ERROR;
227 return NULL;
228 }
229
230/* Check that we have a regular file. */
231
232if (fstat(fileno(fwd), &statbuf) != 0)
233 {
234 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
235 goto ERROR_RETURN;
236 }
237
238if ((statbuf.st_mode & S_IFMT) != S_IFREG)
239 {
240 *error = string_sprintf("%s is not a regular file", filename);
241 goto ERROR_RETURN;
242 }
243
244/* Check for unwanted mode bits */
245
246if ((statbuf.st_mode & rdata->modemask) != 0)
247 {
248 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
249 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
250 goto ERROR_RETURN;
251 }
252
253/* Check the file owner and file group if required to do so. */
254
255if (!uid_ok)
256 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
257 uid_ok = TRUE;
258 else if (rdata->owners)
259 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
260 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
261
262if (!gid_ok)
263 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
264 gid_ok = TRUE;
265 else if (rdata->owngroups)
266 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
267 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
268
269if (!uid_ok || !gid_ok)
270 {
271 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
272 goto ERROR_RETURN;
273 }
274
275/* Put an upper limit on the size of the file, just to stop silly people
276feeding in ridiculously large files, which can easily be created by making
277files that have holes in them. */
278
279if (statbuf.st_size > MAX_FILTER_SIZE)
280 {
281 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
282 goto ERROR_RETURN;
283 }
284
285/* Read the file in one go in order to minimize the time we have it open. */
286
287filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
288
289if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
290 {
291 *error = string_sprintf("error while reading %s: %s",
292 filename, strerror(errno));
293 goto ERROR_RETURN;
294 }
295filebuf[statbuf.st_size] = 0;
296
297DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
298 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
299
300(void)fclose(fwd);
301return filebuf;
302
303/* Return an error: the string is already set up. */
304
305ERROR_RETURN:
306*yield = FF_ERROR;
307(void)fclose(fwd);
308return NULL;
309}
310
311
312
313/*************************************************
314* Extract info from list or filter *
315*************************************************/
316
317/* This function calls the appropriate function to extract addresses from a
318forwarding list, or to run a filter file and get addresses from there.
319
320Arguments:
321 rdata the redirection block
322 options the options bits
323 include_directory restrain to this directory
324 sieve_vacation_directory passed to sieve_interpret
325 sieve_enotify_mailto_owner passed to sieve_interpret
326 sieve_useraddress passed to sieve_interpret
327 sieve_subaddress passed to sieve_interpret
328 generated where to hang generated addresses
329 error for error messages
330 eblockp for details of skipped syntax errors
331 (NULL => no skip)
332 filtertype set to the filter type:
333 FILTER_FORWARD => a traditional .forward file
334 FILTER_EXIM => an Exim filter file
335 FILTER_SIEVE => a Sieve filter file
336 a system filter is always forced to be FILTER_EXIM
337
338Returns: a suitable return for rda_interpret()
339*/
340
341static int
342rda_extract(redirect_block *rdata, int options, uschar *include_directory,
343 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
344 uschar *sieve_useraddress, uschar *sieve_subaddress,
345 address_item **generated, uschar **error, error_block **eblockp,
346 int *filtertype)
347{
348uschar *data;
349
350if (rdata->isfile)
351 {
352 int yield = 0;
353 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
354 return yield;
355 }
356else data = rdata->string;
357
358*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
359
360/* Filter interpretation is done by a general function that is also called from
361the filter testing option (-bf). There are two versions: one for Exim filtering
362and one for Sieve filtering. Several features of string expansion may be locked
363out at sites that don't trust users. This is done by setting flags in
364expand_forbid that the expander inspects. */
365
366if (*filtertype != FILTER_FORWARD)
367 {
368 int frc;
369 int old_expand_forbid = expand_forbid;
370
371 DEBUG(D_route) debug_printf("data is %s filter program\n",
372 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
373
374 /* RDO_FILTER is an "allow" bit */
375
376 if (!(options & RDO_FILTER))
377 {
378 *error = US"filtering not enabled";
379 return FF_ERROR;
380 }
381
382 expand_forbid =
383 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
384
385 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
386
387 if (*filtertype == FILTER_EXIM)
388 {
389 if ((options & RDO_EXIM_FILTER) != 0)
390 {
391 *error = US"Exim filtering not enabled";
392 return FF_ERROR;
393 }
394 frc = filter_interpret(data, options, generated, error);
395 }
396 else
397 {
398 if (options & RDO_SIEVE_FILTER)
399 {
400 *error = US"Sieve filtering not enabled";
401 return FF_ERROR;
402 }
403 frc = sieve_interpret(data, options, sieve_vacation_directory,
404 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
405 generated, error);
406 }
407
408 expand_forbid = old_expand_forbid;
409 return frc;
410 }
411
412/* Not a filter script */
413
414DEBUG(D_route) debug_printf("file is not a filter file\n");
415
416return parse_forward_list(data,
417 options, /* specials that are allowed */
418 generated, /* where to hang them */
419 error, /* for errors */
420 deliver_domain, /* to qualify \name */
421 include_directory, /* restrain to directory */
422 eblockp); /* for skipped syntax errors */
423}
424
425
426
427
428/*************************************************
429* Write string down pipe *
430*************************************************/
431
432/* This function is used for transferring a string down a pipe between
433processes. If the pointer is NULL, a length of zero is written.
434
435Arguments:
436 fd the pipe
437 s the string
438
439Returns: -1 on error, else 0
440*/
441
442static int
443rda_write_string(int fd, const uschar *s)
444{
445int len = (s == NULL)? 0 : Ustrlen(s) + 1;
446return ( write(fd, &len, sizeof(int)) != sizeof(int)
447 || (s != NULL && write(fd, s, len) != len)
448 )
449 ? -1 : 0;
450}
451
452
453
454/*************************************************
455* Read string from pipe *
456*************************************************/
457
458/* This function is used for receiving a string from a pipe.
459
460Arguments:
461 fd the pipe
462 sp where to put the string
463
464Returns: FALSE if data missing
465*/
466
467static BOOL
468rda_read_string(int fd, uschar **sp)
469{
470int len;
471
472if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
473if (len == 0)
474 *sp = NULL;
475else
476 /* We know we have enough memory so disable the error on "len" */
477 /* coverity[tainted_data] */
478 /* We trust the data source, so untainted */
479 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
480return TRUE;
481}
482
483
484
485/*************************************************
486* Interpret forward list or filter *
487*************************************************/
488
489/* This function is passed a forward list string (unexpanded) or the name of a
490file (unexpanded) whose contents are the forwarding list. The list may in fact
491be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
492types of filter, with different initial tag strings, may be introduced in due
493course.
494
495The job of the function is to process the forwarding list or filter. It is
496pulled out into this separate function, because it is used for system filter
497files as well as from the redirect router.
498
499If the function is given a uid/gid, it runs a subprocess that passes the
500results back via a pipe. This provides security for things like :include:s in
501users' .forward files, and "logwrite" calls in users' filter files. A
502sub-process is NOT used when:
503
504 . No uid/gid is provided
505 . The input is a string which is not a filter string, and does not contain
506 :include:
507 . The input is a file whose non-existence can be detected in the main
508 process (which is usually running as root).
509
510Arguments:
511 rdata redirect data (file + constraints, or data string)
512 options options to pass to the extraction functions,
513 plus ENOTDIR and EACCES handling bits
514 include_directory restrain :include: to this directory
515 sieve_vacation_directory directory passed to sieve_interpret
516 sieve_enotify_mailto_owner passed to sieve_interpret
517 sieve_useraddress passed to sieve_interpret
518 sieve_subaddress passed to sieve_interpret
519 ugid uid/gid to run under - if NULL, no change
520 generated where to hang generated addresses, initially NULL
521 error pointer for error message
522 eblockp for skipped syntax errors; NULL if no skipping
523 filtertype set to the type of file:
524 FILTER_FORWARD => traditional .forward file
525 FILTER_EXIM => an Exim filter file
526 FILTER_SIEVE => a Sieve filter file
527 a system filter is always forced to be FILTER_EXIM
528 rname router name for error messages in the format
529 "xxx router" or "system filter"
530
531Returns: values from extraction function, or FF_NONEXIST:
532 FF_DELIVERED success, a significant action was taken
533 FF_NOTDELIVERED success, no significant action
534 FF_BLACKHOLE :blackhole:
535 FF_DEFER defer requested
536 FF_FAIL fail requested
537 FF_INCLUDEFAIL some problem with :include:
538 FF_FREEZE freeze requested
539 FF_ERROR there was a problem
540 FF_NONEXIST the file does not exist
541*/
542
543int
544rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
545 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
546 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
547 address_item **generated, uschar **error, error_block **eblockp,
548 int *filtertype, uschar *rname)
549{
550int fd, rc, pfd[2];
551int yield, status;
552BOOL had_disaster = FALSE;
553pid_t pid;
554uschar *data;
555uschar *readerror = US"";
556void (*oldsignal)(int);
557
558DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
559 rdata->isfile ? "file" : "string", string_printing(rdata->string));
560
561/* Do the expansions of the file name or data first, while still privileged. */
562
563if (!(data = expand_string(rdata->string)))
564 {
565 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
566 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
567 expand_string_message);
568 return FF_ERROR;
569 }
570rdata->string = data;
571
572DEBUG(D_route)
573 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
574
575if (rdata->isfile && data[0] != '/')
576 {
577 *error = string_sprintf("\"%s\" is not an absolute path", data);
578 return FF_ERROR;
579 }
580
581/* If no uid/gid are supplied, or if we have a data string which does not start
582with #Exim filter or #Sieve filter, and does not contain :include:, do all the
583work in this process. Note that for a system filter, we always have a file, so
584the work is done in this process only if no user is supplied. */
585
586if (!ugid->uid_set || /* Either there's no uid, or */
587 (!rdata->isfile && /* We've got the data, and */
588 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
589 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
590 return rda_extract(rdata, options, include_directory,
591 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
592 sieve_subaddress, generated, error, eblockp, filtertype);
593
594/* We need to run the processing code in a sub-process. However, if we can
595determine the non-existence of a file first, we can decline without having to
596create the sub-process. */
597
598if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
599 return FF_NONEXIST;
600
601/* If the file does exist, or we can't tell (non-root mounted NFS directory)
602we have to create the subprocess to do everything as the given user. The
603results of processing are passed back via a pipe. */
604
605if (pipe(pfd) != 0)
606 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
607 ":include: failed for %s: %s", rname, strerror(errno));
608
609/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
610process can be waited for. We sometimes get here with it set otherwise. Save
611the old state for resetting on the wait. Ensure that all cached resources are
612freed so that the subprocess starts with a clean slate and doesn't interfere
613with the parent process. */
614
615oldsignal = signal(SIGCHLD, SIG_DFL);
616search_tidyup();
617
618if ((pid = exim_fork(US"router-interpret")) == 0)
619 {
620 header_line *waslast = header_last; /* Save last header */
621
622 fd = pfd[pipe_write];
623 (void)close(pfd[pipe_read]);
624 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
625
626 /* Addresses can get rewritten in filters; if we are not root or the exim
627 user (and we probably are not), turn off rewrite logging, because we cannot
628 write to the log now. */
629
630 if (ugid->uid != root_uid && ugid->uid != exim_uid)
631 {
632 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
633 "root or exim in this process)\n");
634 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
635 }
636
637 /* Now do the business */
638
639 yield = rda_extract(rdata, options, include_directory,
640 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
641 sieve_subaddress, generated, error, eblockp, filtertype);
642
643 /* Pass back whether it was a filter, and the return code and any overall
644 error text via the pipe. */
645
646 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
647 || write(fd, &yield, sizeof(int)) != sizeof(int)
648 || rda_write_string(fd, *error) != 0
649 )
650 goto bad;
651
652 /* Pass back the contents of any syntax error blocks if we have a pointer */
653
654 if (eblockp)
655 {
656 for (error_block * ep = *eblockp; ep; ep = ep->next)
657 if ( rda_write_string(fd, ep->text1) != 0
658 || rda_write_string(fd, ep->text2) != 0
659 )
660 goto bad;
661 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
662 goto bad;
663 }
664
665 /* If this is a system filter, we have to pass back the numbers of any
666 original header lines that were removed, and then any header lines that were
667 added but not subsequently removed. */
668
669 if (f.system_filtering)
670 {
671 int i = 0;
672 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
673 if ( h->type == htype_old
674 && write(fd, &i, sizeof(i)) != sizeof(i)
675 )
676 goto bad;
677
678 i = -1;
679 if (write(fd, &i, sizeof(i)) != sizeof(i))
680 goto bad;
681
682 while (waslast != header_last)
683 {
684 waslast = waslast->next;
685 if (waslast->type != htype_old)
686 if ( rda_write_string(fd, waslast->text) != 0
687 || write(fd, &(waslast->type), sizeof(waslast->type))
688 != sizeof(waslast->type)
689 )
690 goto bad;
691 }
692 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
693 goto bad;
694 }
695
696 /* Write the contents of the $n variables */
697
698 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
699 goto bad;
700
701 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
702 addresses, and their associated information, through the pipe. This is
703 just tedious, but it seems to be the only safe way. We do this also for
704 FAIL and FREEZE, because a filter is allowed to set up deliveries that
705 are honoured before freezing or failing. */
706
707 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
708 yield == FF_FAIL || yield == FF_FREEZE)
709 {
710 for (address_item * addr = *generated; addr; addr = addr->next)
711 {
712 int reply_options = 0;
713 int ig_err = addr->prop.ignore_error ? 1 : 0;
714
715 if ( rda_write_string(fd, addr->address) != 0
716 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
717 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
718 || rda_write_string(fd, addr->prop.errors_address) != 0
719 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
720 )
721 goto bad;
722
723 if (addr->pipe_expandn)
724 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
725 if (rda_write_string(fd, *pp) != 0)
726 goto bad;
727 if (rda_write_string(fd, NULL) != 0)
728 goto bad;
729
730 if (!addr->reply)
731 {
732 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
733 goto bad;
734 }
735 else
736 {
737 reply_options |= REPLY_EXISTS;
738 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
739 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
740 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
741 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
742 != sizeof(int)
743 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
744 != sizeof(time_t)
745 || rda_write_string(fd, addr->reply->to) != 0
746 || rda_write_string(fd, addr->reply->cc) != 0
747 || rda_write_string(fd, addr->reply->bcc) != 0
748 || rda_write_string(fd, addr->reply->from) != 0
749 || rda_write_string(fd, addr->reply->reply_to) != 0
750 || rda_write_string(fd, addr->reply->subject) != 0
751 || rda_write_string(fd, addr->reply->headers) != 0
752 || rda_write_string(fd, addr->reply->text) != 0
753 || rda_write_string(fd, addr->reply->file) != 0
754 || rda_write_string(fd, addr->reply->logfile) != 0
755 || rda_write_string(fd, addr->reply->oncelog) != 0
756 )
757 goto bad;
758 }
759 }
760
761 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
762 goto bad;
763 }
764
765 /* OK, this process is now done. Free any cached resources. Must use _exit()
766 and not exit() !! */
767
768out:
769 (void)close(fd);
770 search_tidyup();
771 exim_underbar_exit(EXIT_SUCCESS);
772
773bad:
774 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
775 goto out;
776 }
777
778/* Back in the main process: panic if the fork did not succeed. */
779
780if (pid < 0)
781 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
782
783/* Read the pipe to get the data from the filter/forward. Our copy of the
784writing end must be closed first, as otherwise read() won't return zero on an
785empty pipe. Afterwards, close the reading end. */
786
787(void)close(pfd[pipe_write]);
788
789/* Read initial data, including yield and contents of *error */
790
791fd = pfd[pipe_read];
792if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
793 read(fd, &yield, sizeof(int)) != sizeof(int) ||
794 !rda_read_string(fd, error)) goto DISASTER;
795
796/* Read the contents of any syntax error blocks if we have a pointer */
797
798if (eblockp)
799 {
800 error_block *e;
801 for (error_block ** p = eblockp; ; p = &e->next)
802 {
803 uschar *s;
804 if (!rda_read_string(fd, &s)) goto DISASTER;
805 if (!s) break;
806 e = store_get(sizeof(error_block), FALSE);
807 e->next = NULL;
808 e->text1 = s;
809 if (!rda_read_string(fd, &s)) goto DISASTER;
810 e->text2 = s;
811 *p = e;
812 }
813 }
814
815/* If this is a system filter, read the identify of any original header lines
816that were removed, and then read data for any new ones that were added. */
817
818if (f.system_filtering)
819 {
820 int hn = 0;
821 header_line *h = header_list;
822
823 for (;;)
824 {
825 int n;
826 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
827 if (n < 0) break;
828 while (hn < n)
829 {
830 hn++;
831 if (!(h = h->next)) goto DISASTER_NO_HEADER;
832 }
833 h->type = htype_old;
834 }
835
836 for (;;)
837 {
838 uschar *s;
839 int type;
840 if (!rda_read_string(fd, &s)) goto DISASTER;
841 if (!s) break;
842 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
843 header_add(type, "%s", s);
844 }
845 }
846
847/* Read the values of the $n variables */
848
849if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
850
851/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
852addresses and data to go with them. Keep them in the same order in the
853generated chain. */
854
855if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
856 yield == FF_FAIL || yield == FF_FREEZE)
857 {
858 address_item **nextp = generated;
859
860 for (;;)
861 {
862 int i, reply_options;
863 address_item *addr;
864 uschar *recipient;
865 uschar *expandn[EXPAND_MAXN + 2];
866
867 /* First string is the address; NULL => end of addresses */
868
869 if (!rda_read_string(fd, &recipient)) goto DISASTER;
870 if (!recipient) break;
871
872 /* Hang on the end of the chain */
873
874 addr = deliver_make_addr(recipient, FALSE);
875 *nextp = addr;
876 nextp = &(addr->next);
877
878 /* Next comes the mode and the flags fields */
879
880 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
881 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
882 || !rda_read_string(fd, &addr->prop.errors_address)
883 || read(fd, &i, sizeof(i)) != sizeof(i)
884 )
885 goto DISASTER;
886 addr->prop.ignore_error = (i != 0);
887
888 /* Next comes a possible setting for $thisaddress and any numerical
889 variables for pipe expansion, terminated by a NULL string. The maximum
890 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
891 into the zeroth item in the vector - this is sorted out inside the pipe
892 transport. */
893
894 for (i = 0; i < EXPAND_MAXN + 1; i++)
895 {
896 uschar *temp;
897 if (!rda_read_string(fd, &temp)) goto DISASTER;
898 if (i == 0) filter_thisaddress = temp; /* Just in case */
899 expandn[i] = temp;
900 if (temp == NULL) break;
901 }
902
903 if (i > 0)
904 {
905 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
906 addr->pipe_expandn[i] = NULL;
907 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
908 }
909
910 /* Then an int containing reply options; zero => no reply data. */
911
912 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
913 if ((reply_options & REPLY_EXISTS) != 0)
914 {
915 addr->reply = store_get(sizeof(reply_item), FALSE);
916
917 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
918 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
919
920 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
921 sizeof(int) ||
922 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
923 sizeof(time_t) ||
924 !rda_read_string(fd, &addr->reply->to) ||
925 !rda_read_string(fd, &addr->reply->cc) ||
926 !rda_read_string(fd, &addr->reply->bcc) ||
927 !rda_read_string(fd, &addr->reply->from) ||
928 !rda_read_string(fd, &addr->reply->reply_to) ||
929 !rda_read_string(fd, &addr->reply->subject) ||
930 !rda_read_string(fd, &addr->reply->headers) ||
931 !rda_read_string(fd, &addr->reply->text) ||
932 !rda_read_string(fd, &addr->reply->file) ||
933 !rda_read_string(fd, &addr->reply->logfile) ||
934 !rda_read_string(fd, &addr->reply->oncelog))
935 goto DISASTER;
936 }
937 }
938 }
939
940/* All data has been transferred from the sub-process. Reap it, close the
941reading end of the pipe, and we are done. */
942
943WAIT_EXIT:
944while ((rc = wait(&status)) != pid)
945 if (rc < 0 && errno == ECHILD) /* Process has vanished */
946 {
947 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
948 goto FINAL_EXIT;
949 }
950
951DEBUG(D_route)
952 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
953
954if (had_disaster)
955 {
956 *error = string_sprintf("internal problem in %s: failure to transfer "
957 "data from subprocess: status=%04x%s%s%s", rname,
958 status, readerror,
959 (*error == NULL)? US"" : US": error=",
960 (*error == NULL)? US"" : *error);
961 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
962 }
963else if (status != 0)
964 {
965 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
966 "%04x from redirect subprocess (but data correctly received)", rname,
967 status);
968 }
969
970FINAL_EXIT:
971(void)close(fd);
972signal(SIGCHLD, oldsignal); /* restore */
973return yield;
974
975
976/* Come here if the data indicates removal of a header that we can't find */
977
978DISASTER_NO_HEADER:
979readerror = US" readerror=bad header identifier";
980had_disaster = TRUE;
981yield = FF_ERROR;
982goto WAIT_EXIT;
983
984/* Come here is there's a shambles in transferring the data over the pipe. The
985value of errno should still be set. */
986
987DISASTER:
988readerror = string_sprintf(" readerror='%s'", strerror(errno));
989had_disaster = TRUE;
990yield = FF_ERROR;
991goto WAIT_EXIT;
992}
993
994/* End of rda.c */
Unnamed repository; edit this file 'description' to name the repository.