projects / exim.git / blob
? search:


201e82d8b8a0bee54fd1344f9d622f1c0eba9d18
[exim.git] / src / src / rda.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module contains code for extracting addresses from a forwarding list
9 (from an alias or forward file) or by running the filter interpreter. It may do
10 this in a sub-process if a uid/gid are supplied. */
11
12
13 #include "exim.h"
14
15 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
16
17 #define REPLY_EXISTS 0x01
18 #define REPLY_EXPAND 0x02
19 #define REPLY_RETURN 0x04
20
21
22 /*************************************************
23 * Check string for filter program *
24 *************************************************/
25
26 /* This function checks whether a string is actually a filter program. The rule
27 is that it must start with "# Exim filter ..." (any capitalization, spaces
28 optional). It is envisaged that in future, other kinds of filter may be
29 implemented. That's why it is implemented the way it is. The function is global
30 because it is also called from filter.c when checking filters.
31
32 Argument: the string
33
34 Returns: FILTER_EXIM if it starts with "# Exim filter"
35 FILTER_SIEVE if it starts with "# Sieve filter"
36 FILTER_FORWARD otherwise
37 */
38
39 /* This is an auxiliary function for matching a tag. */
40
41 static BOOL
42 match_tag(const uschar *s, const uschar *tag)
43 {
44 for (; *tag != 0; s++, tag++)
45 if (*tag == ' ')
46 {
47 while (*s == ' ' || *s == '\t') s++;
48 s--;
49 }
50 else
51 if (tolower(*s) != tolower(*tag)) break;
52
53 return (*tag == 0);
54 }
55
56 /* This is the real function. It should be easy to add checking different
57 tags for other types of filter. */
58
59 int
60 rda_is_filter(const uschar *s)
61 {
62 while (isspace(*s)) s++; /* Skips initial blank lines */
63 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
64 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
65 else return FILTER_FORWARD;
66 }
67
68
69
70
71 /*************************************************
72 * Check for existence of file *
73 *************************************************/
74
75 /* First of all, we stat the file. If this fails, we try to stat the enclosing
76 directory, because a file in an unmounted NFS directory will look the same as a
77 non-existent file. It seems that in Solaris 2.6, statting an entry in an
78 indirect map that is currently unmounted does not cause the mount to happen.
79 Instead, dummy data is returned, which defeats the whole point of this test.
80 However, if a stat() is done on some object inside the directory, such as the
81 "." back reference to itself, then the mount does occur. If an NFS host is
82 taken offline, it is possible for the stat() to get stuck until it comes back.
83 To guard against this, stick a timer round it. If we can't access the "."
84 inside the directory, try the plain directory, just in case that helps.
85
86 Argument:
87 filename the file name
88 error for message on error
89
90 Returns: FILE_EXIST the file exists
91 FILE_NOT_EXIST the file does not exist
92 FILE_EXIST_UNCLEAR cannot determine existence
93 */
94
95 static int
96 rda_exists(uschar *filename, uschar **error)
97 {
98 int rc, saved_errno;
99 struct stat statbuf;
100 uschar * s;
101
102 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
103 saved_errno = errno;
104
105 s = string_copy(filename);
106 sigalrm_seen = FALSE;
107
108 if (saved_errno == ENOENT)
109 {
110 uschar * slash = Ustrrchr(s, '/');
111 Ustrcpy(slash+1, US".");
112
113 ALARM(30);
114 rc = Ustat(s, &statbuf);
115 if (rc != 0 && errno == EACCES && !sigalrm_seen)
116 {
117 *slash = 0;
118 rc = Ustat(s, &statbuf);
119 }
120 saved_errno = errno;
121 ALARM_CLR(0);
122
123 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
124 }
125
126 if (sigalrm_seen || rc != 0)
127 {
128 *error = string_sprintf("failed to stat %s (%s)", s,
129 sigalrm_seen? "timeout" : strerror(saved_errno));
130 return FILE_EXIST_UNCLEAR;
131 }
132
133 *error = string_sprintf("%s does not exist", filename);
134 DEBUG(D_route) debug_printf("%s\n", *error);
135 return FILE_NOT_EXIST;
136 }
137
138
139
140 /*************************************************
141 * Get forwarding list from a file *
142 *************************************************/
143
144 /* Open a file and read its entire contents into a block of memory. Certain
145 opening errors are optionally treated the same as "file does not exist".
146
147 ENOTDIR means that something along the line is not a directory: there are
148 installations that set home directories to be /dev/null for non-login accounts
149 but in normal circumstances this indicates some kind of configuration error.
150
151 EACCES means there's a permissions failure. Some users turn off read permission
152 on a .forward file to suspend forwarding, but this is probably an error in any
153 kind of mailing list processing.
154
155 The redirect block that contains the file name also contains constraints such
156 as who may own the file, and mode bits that must not be set. This function is
157
158 Arguments:
159 rdata rdirect block, containing file name and constraints
160 options for the RDO_ENOTDIR and RDO_EACCES options
161 error where to put an error message
162 yield what to return from rda_interpret on error
163
164 Returns: pointer to string in store; NULL on error
165 */
166
167 static uschar *
168 rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
169 int *yield)
170 {
171 FILE *fwd;
172 uschar *filebuf;
173 uschar *filename = rdata->string;
174 BOOL uid_ok = !rdata->check_owner;
175 BOOL gid_ok = !rdata->check_group;
176 struct stat statbuf;
177
178 /* Attempt to open the file. If it appears not to exist, check up on the
179 containing directory by statting it. If the directory does not exist, we treat
180 this situation as an error (which will cause delivery to defer); otherwise we
181 pass back FF_NONEXIST, which causes the redirect router to decline.
182
183 However, if the ignore_enotdir option is set (to ignore "something on the
184 path is not a directory" errors), the right behaviour seems to be not to do the
185 directory test. */
186
187 if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
188 {
189 case ENOENT: /* File does not exist */
190 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
191 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
192 *yield =
193 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
194 ? FF_NONEXIST : FF_ERROR;
195 return NULL;
196
197 case ENOTDIR: /* Something on the path isn't a directory */
198 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
199 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
200 "exist\n", filename);
201 *yield = FF_NONEXIST;
202 return NULL;
203
204 case EACCES: /* Permission denied */
205 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
206 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
207 "exist\n", filename);
208 *yield = FF_NONEXIST;
209 return NULL;
210
211 DEFAULT_ERROR:
212 default:
213 *error = string_open_failed(errno, "%s", filename);
214 *yield = FF_ERROR;
215 return NULL;
216 }
217
218 /* Check that we have a regular file. */
219
220 if (fstat(fileno(fwd), &statbuf) != 0)
221 {
222 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
223 goto ERROR_RETURN;
224 }
225
226 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
227 {
228 *error = string_sprintf("%s is not a regular file", filename);
229 goto ERROR_RETURN;
230 }
231
232 /* Check for unwanted mode bits */
233
234 if ((statbuf.st_mode & rdata->modemask) != 0)
235 {
236 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
237 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
238 goto ERROR_RETURN;
239 }
240
241 /* Check the file owner and file group if required to do so. */
242
243 if (!uid_ok)
244 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
245 uid_ok = TRUE;
246 else if (rdata->owners)
247 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
248 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
249
250 if (!gid_ok)
251 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
252 gid_ok = TRUE;
253 else if (rdata->owngroups)
254 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
255 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
256
257 if (!uid_ok || !gid_ok)
258 {
259 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
260 goto ERROR_RETURN;
261 }
262
263 /* Put an upper limit on the size of the file, just to stop silly people
264 feeding in ridiculously large files, which can easily be created by making
265 files that have holes in them. */
266
267 if (statbuf.st_size > MAX_FILTER_SIZE)
268 {
269 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
270 goto ERROR_RETURN;
271 }
272
273 /* Read the file in one go in order to minimize the time we have it open. */
274
275 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
276
277 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
278 {
279 *error = string_sprintf("error while reading %s: %s",
280 filename, strerror(errno));
281 goto ERROR_RETURN;
282 }
283 filebuf[statbuf.st_size] = 0;
284
285 DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
286 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
287
288 (void)fclose(fwd);
289 return filebuf;
290
291 /* Return an error: the string is already set up. */
292
293 ERROR_RETURN:
294 *yield = FF_ERROR;
295 (void)fclose(fwd);
296 return NULL;
297 }
298
299
300
301 /*************************************************
302 * Extract info from list or filter *
303 *************************************************/
304
305 /* This function calls the appropriate function to extract addresses from a
306 forwarding list, or to run a filter file and get addresses from there.
307
308 Arguments:
309 rdata the redirection block
310 options the options bits
311 include_directory restrain to this directory
312 sieve_vacation_directory passed to sieve_interpret
313 sieve_enotify_mailto_owner passed to sieve_interpret
314 sieve_useraddress passed to sieve_interpret
315 sieve_subaddress passed to sieve_interpret
316 generated where to hang generated addresses
317 error for error messages
318 eblockp for details of skipped syntax errors
319 (NULL => no skip)
320 filtertype set to the filter type:
321 FILTER_FORWARD => a traditional .forward file
322 FILTER_EXIM => an Exim filter file
323 FILTER_SIEVE => a Sieve filter file
324 a system filter is always forced to be FILTER_EXIM
325
326 Returns: a suitable return for rda_interpret()
327 */
328
329 static int
330 rda_extract(redirect_block *rdata, int options, uschar *include_directory,
331 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
332 uschar *sieve_useraddress, uschar *sieve_subaddress,
333 address_item **generated, uschar **error, error_block **eblockp,
334 int *filtertype)
335 {
336 uschar *data;
337
338 if (rdata->isfile)
339 {
340 int yield = 0;
341 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
342 return yield;
343 }
344 else data = rdata->string;
345
346 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
347
348 /* Filter interpretation is done by a general function that is also called from
349 the filter testing option (-bf). There are two versions: one for Exim filtering
350 and one for Sieve filtering. Several features of string expansion may be locked
351 out at sites that don't trust users. This is done by setting flags in
352 expand_forbid that the expander inspects. */
353
354 if (*filtertype != FILTER_FORWARD)
355 {
356 int frc;
357 int old_expand_forbid = expand_forbid;
358
359 DEBUG(D_route) debug_printf("data is %s filter program\n",
360 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
361
362 /* RDO_FILTER is an "allow" bit */
363
364 if ((options & RDO_FILTER) == 0)
365 {
366 *error = US"filtering not enabled";
367 return FF_ERROR;
368 }
369
370 expand_forbid =
371 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
372
373 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
374
375 if (*filtertype == FILTER_EXIM)
376 {
377 if ((options & RDO_EXIM_FILTER) != 0)
378 {
379 *error = US"Exim filtering not enabled";
380 return FF_ERROR;
381 }
382 frc = filter_interpret(data, options, generated, error);
383 }
384 else
385 {
386 if ((options & RDO_SIEVE_FILTER) != 0)
387 {
388 *error = US"Sieve filtering not enabled";
389 return FF_ERROR;
390 }
391 frc = sieve_interpret(data, options, sieve_vacation_directory,
392 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
393 generated, error);
394 }
395
396 expand_forbid = old_expand_forbid;
397 return frc;
398 }
399
400 /* Not a filter script */
401
402 DEBUG(D_route) debug_printf("file is not a filter file\n");
403
404 return parse_forward_list(data,
405 options, /* specials that are allowed */
406 generated, /* where to hang them */
407 error, /* for errors */
408 deliver_domain, /* to qualify \name */
409 include_directory, /* restrain to directory */
410 eblockp); /* for skipped syntax errors */
411 }
412
413
414
415
416 /*************************************************
417 * Write string down pipe *
418 *************************************************/
419
420 /* This function is used for transferring a string down a pipe between
421 processes. If the pointer is NULL, a length of zero is written.
422
423 Arguments:
424 fd the pipe
425 s the string
426
427 Returns: -1 on error, else 0
428 */
429
430 static int
431 rda_write_string(int fd, const uschar *s)
432 {
433 int len = (s == NULL)? 0 : Ustrlen(s) + 1;
434 return ( write(fd, &len, sizeof(int)) != sizeof(int)
435 || (s != NULL && write(fd, s, len) != len)
436 )
437 ? -1 : 0;
438 }
439
440
441
442 /*************************************************
443 * Read string from pipe *
444 *************************************************/
445
446 /* This function is used for receiving a string from a pipe.
447
448 Arguments:
449 fd the pipe
450 sp where to put the string
451
452 Returns: FALSE if data missing
453 */
454
455 static BOOL
456 rda_read_string(int fd, uschar **sp)
457 {
458 int len;
459
460 if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
461 if (len == 0)
462 *sp = NULL;
463 else
464 /* We know we have enough memory so disable the error on "len" */
465 /* coverity[tainted_data] */
466 /* We trust the data source, so untainted */
467 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
468 return TRUE;
469 }
470
471
472
473 /*************************************************
474 * Interpret forward list or filter *
475 *************************************************/
476
477 /* This function is passed a forward list string (unexpanded) or the name of a
478 file (unexpanded) whose contents are the forwarding list. The list may in fact
479 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
480 types of filter, with different initial tag strings, may be introduced in due
481 course.
482
483 The job of the function is to process the forwarding list or filter. It is
484 pulled out into this separate function, because it is used for system filter
485 files as well as from the redirect router.
486
487 If the function is given a uid/gid, it runs a subprocess that passes the
488 results back via a pipe. This provides security for things like :include:s in
489 users' .forward files, and "logwrite" calls in users' filter files. A
490 sub-process is NOT used when:
491
492 . No uid/gid is provided
493 . The input is a string which is not a filter string, and does not contain
494 :include:
495 . The input is a file whose non-existence can be detected in the main
496 process (which is usually running as root).
497
498 Arguments:
499 rdata redirect data (file + constraints, or data string)
500 options options to pass to the extraction functions,
501 plus ENOTDIR and EACCES handling bits
502 include_directory restrain :include: to this directory
503 sieve_vacation_directory directory passed to sieve_interpret
504 sieve_enotify_mailto_owner passed to sieve_interpret
505 sieve_useraddress passed to sieve_interpret
506 sieve_subaddress passed to sieve_interpret
507 ugid uid/gid to run under - if NULL, no change
508 generated where to hang generated addresses, initially NULL
509 error pointer for error message
510 eblockp for skipped syntax errors; NULL if no skipping
511 filtertype set to the type of file:
512 FILTER_FORWARD => traditional .forward file
513 FILTER_EXIM => an Exim filter file
514 FILTER_SIEVE => a Sieve filter file
515 a system filter is always forced to be FILTER_EXIM
516 rname router name for error messages in the format
517 "xxx router" or "system filter"
518
519 Returns: values from extraction function, or FF_NONEXIST:
520 FF_DELIVERED success, a significant action was taken
521 FF_NOTDELIVERED success, no significant action
522 FF_BLACKHOLE :blackhole:
523 FF_DEFER defer requested
524 FF_FAIL fail requested
525 FF_INCLUDEFAIL some problem with :include:
526 FF_FREEZE freeze requested
527 FF_ERROR there was a problem
528 FF_NONEXIST the file does not exist
529 */
530
531 int
532 rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
533 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
534 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
535 address_item **generated, uschar **error, error_block **eblockp,
536 int *filtertype, uschar *rname)
537 {
538 int fd, rc, pfd[2];
539 int yield, status;
540 BOOL had_disaster = FALSE;
541 pid_t pid;
542 uschar *data;
543 uschar *readerror = US"";
544 void (*oldsignal)(int);
545
546 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
547 rdata->isfile ? "file" : "string", string_printing(rdata->string));
548
549 /* Do the expansions of the file name or data first, while still privileged. */
550
551 if (!(data = expand_string(rdata->string)))
552 {
553 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
554 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
555 expand_string_message);
556 return FF_ERROR;
557 }
558 rdata->string = data;
559
560 DEBUG(D_route)
561 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
562
563 if (rdata->isfile && data[0] != '/')
564 {
565 *error = string_sprintf("\"%s\" is not an absolute path", data);
566 return FF_ERROR;
567 }
568
569 /* If no uid/gid are supplied, or if we have a data string which does not start
570 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
571 work in this process. Note that for a system filter, we always have a file, so
572 the work is done in this process only if no user is supplied. */
573
574 if (!ugid->uid_set || /* Either there's no uid, or */
575 (!rdata->isfile && /* We've got the data, and */
576 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
577 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
578 {
579 return rda_extract(rdata, options, include_directory,
580 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
581 sieve_subaddress, generated, error, eblockp, filtertype);
582 }
583
584 /* We need to run the processing code in a sub-process. However, if we can
585 determine the non-existence of a file first, we can decline without having to
586 create the sub-process. */
587
588 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
589 return FF_NONEXIST;
590
591 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
592 we have to create the subprocess to do everything as the given user. The
593 results of processing are passed back via a pipe. */
594
595 if (pipe(pfd) != 0)
596 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
597 ":include: failed for %s: %s", rname, strerror(errno));
598
599 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
600 process can be waited for. We sometimes get here with it set otherwise. Save
601 the old state for resetting on the wait. Ensure that all cached resources are
602 freed so that the subprocess starts with a clean slate and doesn't interfere
603 with the parent process. */
604
605 oldsignal = signal(SIGCHLD, SIG_DFL);
606 search_tidyup();
607
608 if ((pid = fork()) == 0)
609 {
610 header_line *waslast = header_last; /* Save last header */
611
612 fd = pfd[pipe_write];
613 (void)close(pfd[pipe_read]);
614 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
615
616 /* Addresses can get rewritten in filters; if we are not root or the exim
617 user (and we probably are not), turn off rewrite logging, because we cannot
618 write to the log now. */
619
620 if (ugid->uid != root_uid && ugid->uid != exim_uid)
621 {
622 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
623 "root or exim in this process)\n");
624 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
625 }
626
627 /* Now do the business */
628
629 yield = rda_extract(rdata, options, include_directory,
630 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
631 sieve_subaddress, generated, error, eblockp, filtertype);
632
633 /* Pass back whether it was a filter, and the return code and any overall
634 error text via the pipe. */
635
636 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
637 || write(fd, &yield, sizeof(int)) != sizeof(int)
638 || rda_write_string(fd, *error) != 0
639 )
640 goto bad;
641
642 /* Pass back the contents of any syntax error blocks if we have a pointer */
643
644 if (eblockp)
645 {
646 for (error_block * ep = *eblockp; ep; ep = ep->next)
647 if ( rda_write_string(fd, ep->text1) != 0
648 || rda_write_string(fd, ep->text2) != 0
649 )
650 goto bad;
651 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
652 goto bad;
653 }
654
655 /* If this is a system filter, we have to pass back the numbers of any
656 original header lines that were removed, and then any header lines that were
657 added but not subsequently removed. */
658
659 if (f.system_filtering)
660 {
661 int i = 0;
662 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
663 if ( h->type == htype_old
664 && write(fd, &i, sizeof(i)) != sizeof(i)
665 )
666 goto bad;
667
668 i = -1;
669 if (write(fd, &i, sizeof(i)) != sizeof(i))
670 goto bad;
671
672 while (waslast != header_last)
673 {
674 waslast = waslast->next;
675 if (waslast->type != htype_old)
676 if ( rda_write_string(fd, waslast->text) != 0
677 || write(fd, &(waslast->type), sizeof(waslast->type))
678 != sizeof(waslast->type)
679 )
680 goto bad;
681 }
682 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
683 goto bad;
684 }
685
686 /* Write the contents of the $n variables */
687
688 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
689 goto bad;
690
691 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
692 addresses, and their associated information, through the pipe. This is
693 just tedious, but it seems to be the only safe way. We do this also for
694 FAIL and FREEZE, because a filter is allowed to set up deliveries that
695 are honoured before freezing or failing. */
696
697 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
698 yield == FF_FAIL || yield == FF_FREEZE)
699 {
700 for (address_item * addr = *generated; addr; addr = addr->next)
701 {
702 int reply_options = 0;
703 int ig_err = addr->prop.ignore_error ? 1 : 0;
704
705 if ( rda_write_string(fd, addr->address) != 0
706 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
707 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
708 || rda_write_string(fd, addr->prop.errors_address) != 0
709 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
710 )
711 goto bad;
712
713 if (addr->pipe_expandn)
714 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
715 if (rda_write_string(fd, *pp) != 0)
716 goto bad;
717 if (rda_write_string(fd, NULL) != 0)
718 goto bad;
719
720 if (!addr->reply)
721 {
722 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
723 goto bad;
724 }
725 else
726 {
727 reply_options |= REPLY_EXISTS;
728 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
729 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
730 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
731 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
732 != sizeof(int)
733 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
734 != sizeof(time_t)
735 || rda_write_string(fd, addr->reply->to) != 0
736 || rda_write_string(fd, addr->reply->cc) != 0
737 || rda_write_string(fd, addr->reply->bcc) != 0
738 || rda_write_string(fd, addr->reply->from) != 0
739 || rda_write_string(fd, addr->reply->reply_to) != 0
740 || rda_write_string(fd, addr->reply->subject) != 0
741 || rda_write_string(fd, addr->reply->headers) != 0
742 || rda_write_string(fd, addr->reply->text) != 0
743 || rda_write_string(fd, addr->reply->file) != 0
744 || rda_write_string(fd, addr->reply->logfile) != 0
745 || rda_write_string(fd, addr->reply->oncelog) != 0
746 )
747 goto bad;
748 }
749 }
750
751 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
752 goto bad;
753 }
754
755 /* OK, this process is now done. Free any cached resources. Must use _exit()
756 and not exit() !! */
757
758 out:
759 (void)close(fd);
760 search_tidyup();
761 exim_underbar_exit(0);
762
763 bad:
764 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
765 goto out;
766 }
767
768 /* Back in the main process: panic if the fork did not succeed. */
769
770 if (pid < 0)
771 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
772
773 /* Read the pipe to get the data from the filter/forward. Our copy of the
774 writing end must be closed first, as otherwise read() won't return zero on an
775 empty pipe. Afterwards, close the reading end. */
776
777 (void)close(pfd[pipe_write]);
778
779 /* Read initial data, including yield and contents of *error */
780
781 fd = pfd[pipe_read];
782 if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
783 read(fd, &yield, sizeof(int)) != sizeof(int) ||
784 !rda_read_string(fd, error)) goto DISASTER;
785
786 /* Read the contents of any syntax error blocks if we have a pointer */
787
788 if (eblockp)
789 {
790 error_block *e;
791 for (error_block ** p = eblockp; ; p = &e->next)
792 {
793 uschar *s;
794 if (!rda_read_string(fd, &s)) goto DISASTER;
795 if (!s) break;
796 e = store_get(sizeof(error_block), FALSE);
797 e->next = NULL;
798 e->text1 = s;
799 if (!rda_read_string(fd, &s)) goto DISASTER;
800 e->text2 = s;
801 *p = e;
802 }
803 }
804
805 /* If this is a system filter, read the identify of any original header lines
806 that were removed, and then read data for any new ones that were added. */
807
808 if (f.system_filtering)
809 {
810 int hn = 0;
811 header_line *h = header_list;
812
813 for (;;)
814 {
815 int n;
816 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
817 if (n < 0) break;
818 while (hn < n)
819 {
820 hn++;
821 if (!(h = h->next)) goto DISASTER_NO_HEADER;
822 }
823 h->type = htype_old;
824 }
825
826 for (;;)
827 {
828 uschar *s;
829 int type;
830 if (!rda_read_string(fd, &s)) goto DISASTER;
831 if (!s) break;
832 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
833 header_add(type, "%s", s);
834 }
835 }
836
837 /* Read the values of the $n variables */
838
839 if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
840
841 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
842 addresses and data to go with them. Keep them in the same order in the
843 generated chain. */
844
845 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
846 yield == FF_FAIL || yield == FF_FREEZE)
847 {
848 address_item **nextp = generated;
849
850 for (;;)
851 {
852 int i, reply_options;
853 address_item *addr;
854 uschar *recipient;
855 uschar *expandn[EXPAND_MAXN + 2];
856
857 /* First string is the address; NULL => end of addresses */
858
859 if (!rda_read_string(fd, &recipient)) goto DISASTER;
860 if (!recipient) break;
861
862 /* Hang on the end of the chain */
863
864 addr = deliver_make_addr(recipient, FALSE);
865 *nextp = addr;
866 nextp = &(addr->next);
867
868 /* Next comes the mode and the flags fields */
869
870 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
871 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
872 || !rda_read_string(fd, &addr->prop.errors_address)
873 || read(fd, &i, sizeof(i)) != sizeof(i)
874 )
875 goto DISASTER;
876 addr->prop.ignore_error = (i != 0);
877
878 /* Next comes a possible setting for $thisaddress and any numerical
879 variables for pipe expansion, terminated by a NULL string. The maximum
880 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
881 into the zeroth item in the vector - this is sorted out inside the pipe
882 transport. */
883
884 for (i = 0; i < EXPAND_MAXN + 1; i++)
885 {
886 uschar *temp;
887 if (!rda_read_string(fd, &temp)) goto DISASTER;
888 if (i == 0) filter_thisaddress = temp; /* Just in case */
889 expandn[i] = temp;
890 if (temp == NULL) break;
891 }
892
893 if (i > 0)
894 {
895 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
896 addr->pipe_expandn[i] = NULL;
897 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
898 }
899
900 /* Then an int containing reply options; zero => no reply data. */
901
902 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
903 if ((reply_options & REPLY_EXISTS) != 0)
904 {
905 addr->reply = store_get(sizeof(reply_item), FALSE);
906
907 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
908 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
909
910 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
911 sizeof(int) ||
912 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
913 sizeof(time_t) ||
914 !rda_read_string(fd, &(addr->reply->to)) ||
915 !rda_read_string(fd, &(addr->reply->cc)) ||
916 !rda_read_string(fd, &(addr->reply->bcc)) ||
917 !rda_read_string(fd, &(addr->reply->from)) ||
918 !rda_read_string(fd, &(addr->reply->reply_to)) ||
919 !rda_read_string(fd, &(addr->reply->subject)) ||
920 !rda_read_string(fd, &(addr->reply->headers)) ||
921 !rda_read_string(fd, &(addr->reply->text)) ||
922 !rda_read_string(fd, &(addr->reply->file)) ||
923 !rda_read_string(fd, &(addr->reply->logfile)) ||
924 !rda_read_string(fd, &(addr->reply->oncelog)))
925 goto DISASTER;
926 }
927 }
928 }
929
930 /* All data has been transferred from the sub-process. Reap it, close the
931 reading end of the pipe, and we are done. */
932
933 WAIT_EXIT:
934 while ((rc = wait(&status)) != pid)
935 {
936 if (rc < 0 && errno == ECHILD) /* Process has vanished */
937 {
938 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
939 goto FINAL_EXIT;
940 }
941 }
942
943 DEBUG(D_route)
944 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
945
946 if (had_disaster)
947 {
948 *error = string_sprintf("internal problem in %s: failure to transfer "
949 "data from subprocess: status=%04x%s%s%s", rname,
950 status, readerror,
951 (*error == NULL)? US"" : US": error=",
952 (*error == NULL)? US"" : *error);
953 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
954 }
955 else if (status != 0)
956 {
957 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
958 "%04x from redirect subprocess (but data correctly received)", rname,
959 status);
960 }
961
962 FINAL_EXIT:
963 (void)close(fd);
964 signal(SIGCHLD, oldsignal); /* restore */
965 return yield;
966
967
968 /* Come here if the data indicates removal of a header that we can't find */
969
970 DISASTER_NO_HEADER:
971 readerror = US" readerror=bad header identifier";
972 had_disaster = TRUE;
973 yield = FF_ERROR;
974 goto WAIT_EXIT;
975
976 /* Come here is there's a shambles in transferring the data over the pipe. The
977 value of errno should still be set. */
978
979 DISASTER:
980 readerror = string_sprintf(" readerror='%s'", strerror(errno));
981 had_disaster = TRUE;
982 yield = FF_ERROR;
983 goto WAIT_EXIT;
984 }
985
986 /* End of rda.c */
Unnamed repository; edit this file 'description' to name the repository.