From 5cb18fca8873da273fb80931b620892586cbffaf Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 8 Nov 2019 22:30:04 +0000
Subject: [PATCH] Regard command-line recipients as tainted

(cherry picked from commit f0fe22cbc29ee4f887aa254f2590a9e72401e237)
---
 doc/doc-txt/ChangeLog |  2 ++
 src/src/exim.c        | 19 ++++++++++---------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a71cb9f0f..4211043fa 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -9,6 +9,8 @@ This is not an official release. It is just a branch, collecting
 proposed bugfixes. Depending on your environment the fixes may be
 necessary to build and/or run Exim successfully.
 
+JH/05 Regard command-line receipients as tainted.
+
 JH/07 Bug 2489: Fix crash in the "pam" expansion condition.  It seems that the
       PAM library frees one of the arguments given to it, despite the
       documentation.  Therefore a plain malloc must be used.
diff --git a/src/src/exim.c b/src/src/exim.c
index 6a2e7a644..0e839c5d4 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -4822,8 +4822,9 @@ if (verify_address_mode || f.address_test_mode)
     {
     while (recipients_arg < argc)
       {
-      uschar *s = argv[recipients_arg++];
-      while (*s != 0)
+      /* Supplied addresses are tainted since they come from a user */
+      uschar * s = string_copy_taint(argv[recipients_arg++], TRUE);
+      while (*s)
         {
         BOOL finished = FALSE;
         uschar *ss = parse_find_address_end(s, FALSE);
@@ -4831,16 +4832,16 @@ if (verify_address_mode || f.address_test_mode)
         test_address(s, flags, &exit_value);
         s = ss;
         if (!finished)
-          while (*(++s) != 0 && (*s == ',' || isspace(*s)));
+          while (*++s == ',' || isspace(*s)) ;
         }
       }
     }
 
   else for (;;)
     {
-    uschar *s = get_stdinput(NULL, NULL);
-    if (s == NULL) break;
-    test_address(s, flags, &exit_value);
+    uschar * s = get_stdinput(NULL, NULL);
+    if (!s) break;
+    test_address(string_copy_taint(s, TRUE), flags, &exit_value);
     }
 
   route_tidyup();
@@ -5334,13 +5335,13 @@ while (more)
 
     raw_sender = string_copy(sender_address);
 
-    /* Loop for each argument */
+    /* Loop for each argument (supplied by user hence tainted) */
 
     for (int i = 0; i < count; i++)
       {
       int start, end, domain;
-      uschar *errmess;
-      uschar *s = list[i];
+      uschar * errmess;
+      uschar * s = string_copy_taint(list[i], TRUE);
 
       /* Loop for each comma-separated address */
 
-- 
2.25.1