projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tidying
[exim.git] / src / src / rda.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
7d99cba1 6/* Copyright (c) The Exim maintainers 2020 */
059ec3d9
PH		 7/* See the file NOTICE for conditions of use and distribution. */
8
9/* This module contains code for extracting addresses from a forwarding list
10(from an alias or forward file) or by running the filter interpreter. It may do
11this in a sub-process if a uid/gid are supplied. */
12
13
14#include "exim.h"
15
16enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
17
18#define REPLY_EXISTS 0x01
19#define REPLY_EXPAND 0x02
20#define REPLY_RETURN 0x04
21
22
23/*************************************************
24* Check string for filter program *
25*************************************************/
26
27/* This function checks whether a string is actually a filter program. The rule
28is that it must start with "# Exim filter ..." (any capitalization, spaces
29optional). It is envisaged that in future, other kinds of filter may be
30implemented. That's why it is implemented the way it is. The function is global
31because it is also called from filter.c when checking filters.
32
33Argument: the string
34
35Returns: FILTER_EXIM if it starts with "# Exim filter"
36 FILTER_SIEVE if it starts with "# Sieve filter"
37 FILTER_FORWARD otherwise
38*/
39
40/* This is an auxiliary function for matching a tag. */
41
42static BOOL
43match_tag(const uschar *s, const uschar *tag)
44{
45for (; *tag != 0; s++, tag++)
059ec3d9
PH		 46 if (*tag == ' ')
47 {
48 while (*s == ' ' || *s == '\t') s++;
49 s--;
50 }
d7978c0f
JH		 51 else
52 if (tolower(*s) != tolower(*tag)) break;
53
059ec3d9
PH		 54return (*tag == 0);
55}
56
57/* This is the real function. It should be easy to add checking different
58tags for other types of filter. */
59
60int
61rda_is_filter(const uschar *s)
62{
63while (isspace(*s)) s++; /* Skips initial blank lines */
64if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
65 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
66 else return FILTER_FORWARD;
67}
68
69
70
71
72/*************************************************
73* Check for existence of file *
74*************************************************/
75
76/* First of all, we stat the file. If this fails, we try to stat the enclosing
77directory, because a file in an unmounted NFS directory will look the same as a
78non-existent file. It seems that in Solaris 2.6, statting an entry in an
79indirect map that is currently unmounted does not cause the mount to happen.
80Instead, dummy data is returned, which defeats the whole point of this test.
81However, if a stat() is done on some object inside the directory, such as the
82"." back reference to itself, then the mount does occur. If an NFS host is
83taken offline, it is possible for the stat() to get stuck until it comes back.
84To guard against this, stick a timer round it. If we can't access the "."
85inside the directory, try the plain directory, just in case that helps.
86
87Argument:
88 filename the file name
89 error for message on error
90
91Returns: FILE_EXIST the file exists
92 FILE_NOT_EXIST the file does not exist
93 FILE_EXIST_UNCLEAR cannot determine existence
94*/
95
96static int
97rda_exists(uschar *filename, uschar **error)
98{
99int rc, saved_errno;
059ec3d9 100struct stat statbuf;
f3ebb786 101uschar * s;
059ec3d9
PH		 102
103if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
104saved_errno = errno;
105
f3ebb786 106s = string_copy(filename);
059ec3d9
PH		 107sigalrm_seen = FALSE;
108
109if (saved_errno == ENOENT)
110 {
f3ebb786
JH		 111 uschar * slash = Ustrrchr(s, '/');
112 Ustrcpy(slash+1, US".");
059ec3d9 113
c2a1bba0 114 ALARM(30);
f3ebb786 115 rc = Ustat(s, &statbuf);
059ec3d9
PH		 116 if (rc != 0 && errno == EACCES && !sigalrm_seen)
117 {
118 *slash = 0;
f3ebb786 119 rc = Ustat(s, &statbuf);
059ec3d9
PH		 120 }
121 saved_errno = errno;
c2a1bba0 122 ALARM_CLR(0);
059ec3d9 123
f3ebb786 124 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
059ec3d9
PH		 125 }
126
127if (sigalrm_seen || rc != 0)
128 {
f3ebb786
JH		 129 *error = string_sprintf("failed to stat %s (%s)", s,
130 sigalrm_seen? "timeout" : strerror(saved_errno));
059ec3d9
PH		 131 return FILE_EXIST_UNCLEAR;
132 }
133
134*error = string_sprintf("%s does not exist", filename);
135DEBUG(D_route) debug_printf("%s\n", *error);
136return FILE_NOT_EXIST;
137}
138
139
140
141/*************************************************
142* Get forwarding list from a file *
143*************************************************/
144
145/* Open a file and read its entire contents into a block of memory. Certain
146opening errors are optionally treated the same as "file does not exist".
147
148ENOTDIR means that something along the line is not a directory: there are
149installations that set home directories to be /dev/null for non-login accounts
150but in normal circumstances this indicates some kind of configuration error.
151
152EACCES means there's a permissions failure. Some users turn off read permission
153on a .forward file to suspend forwarding, but this is probably an error in any
154kind of mailing list processing.
155
156The redirect block that contains the file name also contains constraints such
157as who may own the file, and mode bits that must not be set. This function is
158
159Arguments:
160 rdata rdirect block, containing file name and constraints
161 options for the RDO_ENOTDIR and RDO_EACCES options
162 error where to put an error message
163 yield what to return from rda_interpret on error
164
165Returns: pointer to string in store; NULL on error
166*/
167
168static uschar *
169rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
170 int *yield)
171{
172FILE *fwd;
173uschar *filebuf;
174uschar *filename = rdata->string;
175BOOL uid_ok = !rdata->check_owner;
176BOOL gid_ok = !rdata->check_group;
177struct stat statbuf;
178
7d99cba1
JH		 179/* Reading a file is a form of expansion; we wish to deny attackers the
180capability to specify the file name. */
181
182if (is_tainted(filename))
183 {
184 *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
185 filename);
186 *yield = FF_ERROR;
187 return NULL;
188 }
189
059ec3d9
PH		 190/* Attempt to open the file. If it appears not to exist, check up on the
191containing directory by statting it. If the directory does not exist, we treat
192this situation as an error (which will cause delivery to defer); otherwise we
193pass back FF_NONEXIST, which causes the redirect router to decline.
194
195However, if the ignore_enotdir option is set (to ignore "something on the
196path is not a directory" errors), the right behaviour seems to be not to do the
197directory test. */
198
f5bf7636 199if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
059ec3d9 200 {
f5bf7636 201 case ENOENT: /* File does not exist */
059ec3d9 202 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
f5bf7636
JH		 203 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
204 *yield =
205 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
206 ? FF_NONEXIST : FF_ERROR;
059ec3d9
PH		 207 return NULL;
208
f5bf7636 209 case ENOTDIR: /* Something on the path isn't a directory */
7d99cba1 210 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
059ec3d9
PH		 211 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
212 "exist\n", filename);
213 *yield = FF_NONEXIST;
214 return NULL;
215
f5bf7636 216 case EACCES: /* Permission denied */
7d99cba1 217 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
059ec3d9
PH		 218 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
219 "exist\n", filename);
220 *yield = FF_NONEXIST;
221 return NULL;
222
7d99cba1 223DEFAULT_ERROR:
f5bf7636 224 default:
059ec3d9
PH		 225 *error = string_open_failed(errno, "%s", filename);
226 *yield = FF_ERROR;
227 return NULL;
059ec3d9
PH		 228 }
229
230/* Check that we have a regular file. */
231
232if (fstat(fileno(fwd), &statbuf) != 0)
233 {
234 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
235 goto ERROR_RETURN;
236 }
237
238if ((statbuf.st_mode & S_IFMT) != S_IFREG)
239 {
240 *error = string_sprintf("%s is not a regular file", filename);
241 goto ERROR_RETURN;
242 }
243
244/* Check for unwanted mode bits */
245
246if ((statbuf.st_mode & rdata->modemask) != 0)
247 {
248 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
249 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
250 goto ERROR_RETURN;
251 }
252
253/* Check the file owner and file group if required to do so. */
254
255if (!uid_ok)
f5bf7636 256 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
059ec3d9 257 uid_ok = TRUE;
f5bf7636 258 else if (rdata->owners)
d7978c0f 259 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
059ec3d9 260 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
059ec3d9
PH		 261
262if (!gid_ok)
f5bf7636 263 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
059ec3d9 264 gid_ok = TRUE;
f5bf7636 265 else if (rdata->owngroups)
d7978c0f 266 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
059ec3d9 267 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
059ec3d9
PH		 268
269if (!uid_ok || !gid_ok)
270 {
271 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
272 goto ERROR_RETURN;
273 }
274
275/* Put an upper limit on the size of the file, just to stop silly people
276feeding in ridiculously large files, which can easily be created by making
277files that have holes in them. */
278
279if (statbuf.st_size > MAX_FILTER_SIZE)
280 {
281 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
282 goto ERROR_RETURN;
283 }
284
285/* Read the file in one go in order to minimize the time we have it open. */
286
f3ebb786 287filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
059ec3d9
PH		 288
289if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
290 {
291 *error = string_sprintf("error while reading %s: %s",
292 filename, strerror(errno));
293 goto ERROR_RETURN;
294 }
295filebuf[statbuf.st_size] = 0;
296
f5bf7636
JH		 297DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
298 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
059ec3d9 299
f1e894f3 300(void)fclose(fwd);
059ec3d9
PH		 301return filebuf;
302
303/* Return an error: the string is already set up. */
304
305ERROR_RETURN:
306*yield = FF_ERROR;
f1e894f3 307(void)fclose(fwd);
059ec3d9
PH		 308return NULL;
309}
310
311
312
313/*************************************************
314* Extract info from list or filter *
315*************************************************/
316
317/* This function calls the appropriate function to extract addresses from a
318forwarding list, or to run a filter file and get addresses from there.
319
320Arguments:
321 rdata the redirection block
322 options the options bits
323 include_directory restrain to this directory
324 sieve_vacation_directory passed to sieve_interpret
efd9a422 325 sieve_enotify_mailto_owner passed to sieve_interpret
e4a89c47
PH		 326 sieve_useraddress passed to sieve_interpret
327 sieve_subaddress passed to sieve_interpret
059ec3d9
PH		 328 generated where to hang generated addresses
329 error for error messages
330 eblockp for details of skipped syntax errors
331 (NULL => no skip)
332 filtertype set to the filter type:
333 FILTER_FORWARD => a traditional .forward file
334 FILTER_EXIM => an Exim filter file
335 FILTER_SIEVE => a Sieve filter file
336 a system filter is always forced to be FILTER_EXIM
337
338Returns: a suitable return for rda_interpret()
339*/
340
341static int
342rda_extract(redirect_block *rdata, int options, uschar *include_directory,
efd9a422
MH		 343 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
344 uschar *sieve_useraddress, uschar *sieve_subaddress,
345 address_item **generated, uschar **error, error_block **eblockp,
346 int *filtertype)
059ec3d9
PH		 347{
348uschar *data;
349
350if (rdata->isfile)
351 {
91ecef39 352 int yield = 0;
f5bf7636
JH		 353 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
354 return yield;
059ec3d9
PH		 355 }
356else data = rdata->string;
357
8768d548 358*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
059ec3d9
PH		 359
360/* Filter interpretation is done by a general function that is also called from
361the filter testing option (-bf). There are two versions: one for Exim filtering
362and one for Sieve filtering. Several features of string expansion may be locked
363out at sites that don't trust users. This is done by setting flags in
364expand_forbid that the expander inspects. */
365
366if (*filtertype != FILTER_FORWARD)
367 {
368 int frc;
369 int old_expand_forbid = expand_forbid;
370
23c7ff99 371 DEBUG(D_route) debug_printf("data is %s filter program\n",
f3ebb786 372 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
23c7ff99
PH		 373
374 /* RDO_FILTER is an "allow" bit */
8e669ac1 375
7d99cba1 376 if (!(options & RDO_FILTER))
059ec3d9
PH		 377 {
378 *error = US"filtering not enabled";
379 return FF_ERROR;
380 }
381
059ec3d9 382 expand_forbid =
f3ebb786 383 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
8e669ac1 384
23c7ff99 385 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
8e669ac1 386
23c7ff99
PH		 387 if (*filtertype == FILTER_EXIM)
388 {
389 if ((options & RDO_EXIM_FILTER) != 0)
390 {
391 *error = US"Exim filtering not enabled";
392 return FF_ERROR;
8e669ac1 393 }
23c7ff99 394 frc = filter_interpret(data, options, generated, error);
8e669ac1 395 }
23c7ff99
PH		 396 else
397 {
7d99cba1 398 if (options & RDO_SIEVE_FILTER)
23c7ff99
PH		 399 {
400 *error = US"Sieve filtering not enabled";
401 return FF_ERROR;
402 }
e4a89c47 403 frc = sieve_interpret(data, options, sieve_vacation_directory,
efd9a422
MH		 404 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
405 generated, error);
8e669ac1 406 }
059ec3d9
PH		 407
408 expand_forbid = old_expand_forbid;
409 return frc;
410 }
411
412/* Not a filter script */
413
414DEBUG(D_route) debug_printf("file is not a filter file\n");
415
416return parse_forward_list(data,
417 options, /* specials that are allowed */
418 generated, /* where to hang them */
419 error, /* for errors */
420 deliver_domain, /* to qualify \name */
421 include_directory, /* restrain to directory */
422 eblockp); /* for skipped syntax errors */
423}
424
425
426
427
428/*************************************************
429* Write string down pipe *
430*************************************************/
431
1ac6b2e7 432/* This function is used for transferring a string down a pipe between
059ec3d9
PH		 433processes. If the pointer is NULL, a length of zero is written.
434
435Arguments:
436 fd the pipe
437 s the string
438
1ac6b2e7 439Returns: -1 on error, else 0
059ec3d9
PH		 440*/
441
1ac6b2e7 442static int
55414b25 443rda_write_string(int fd, const uschar *s)
059ec3d9 444{
847a015a
JH		 445int len = (s == NULL)? 0 : Ustrlen(s) + 1;
446return ( write(fd, &len, sizeof(int)) != sizeof(int)
447 || (s != NULL && write(fd, s, len) != len)
1ac6b2e7
JH		 448 )
449 ? -1 : 0;
059ec3d9
PH		 450}
451
452
453
454/*************************************************
455* Read string from pipe *
456*************************************************/
457
458/* This function is used for receiving a string from a pipe.
459
460Arguments:
461 fd the pipe
462 sp where to put the string
463
464Returns: FALSE if data missing
465*/
466
467static BOOL
468rda_read_string(int fd, uschar **sp)
469{
470int len;
471
847a015a 472if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
d88f0784
JH		 473if (len == 0)
474 *sp = NULL;
475else
476 /* We know we have enough memory so disable the error on "len" */
477 /* coverity[tainted_data] */
f3ebb786 478 /* We trust the data source, so untainted */
847a015a 479 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
059ec3d9
PH		 480return TRUE;
481}
482
483
484
485/*************************************************
486* Interpret forward list or filter *
487*************************************************/
488
489/* This function is passed a forward list string (unexpanded) or the name of a
490file (unexpanded) whose contents are the forwarding list. The list may in fact
491be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
aded2255 492types of filter, with different initial tag strings, may be introduced in due
059ec3d9
PH		 493course.
494
495The job of the function is to process the forwarding list or filter. It is
496pulled out into this separate function, because it is used for system filter
497files as well as from the redirect router.
498
499If the function is given a uid/gid, it runs a subprocess that passes the
500results back via a pipe. This provides security for things like :include:s in
501users' .forward files, and "logwrite" calls in users' filter files. A
502sub-process is NOT used when:
503
504 . No uid/gid is provided
505 . The input is a string which is not a filter string, and does not contain
506 :include:
507 . The input is a file whose non-existence can be detected in the main
508 process (which is usually running as root).
509
510Arguments:
511 rdata redirect data (file + constraints, or data string)
512 options options to pass to the extraction functions,
513 plus ENOTDIR and EACCES handling bits
514 include_directory restrain :include: to this directory
efd9a422
MH		 515 sieve_vacation_directory directory passed to sieve_interpret
516 sieve_enotify_mailto_owner passed to sieve_interpret
e4a89c47
PH		 517 sieve_useraddress passed to sieve_interpret
518 sieve_subaddress passed to sieve_interpret
059ec3d9
PH		 519 ugid uid/gid to run under - if NULL, no change
520 generated where to hang generated addresses, initially NULL
521 error pointer for error message
522 eblockp for skipped syntax errors; NULL if no skipping
523 filtertype set to the type of file:
524 FILTER_FORWARD => traditional .forward file
525 FILTER_EXIM => an Exim filter file
526 FILTER_SIEVE => a Sieve filter file
527 a system filter is always forced to be FILTER_EXIM
528 rname router name for error messages in the format
529 "xxx router" or "system filter"
530
531Returns: values from extraction function, or FF_NONEXIST:
532 FF_DELIVERED success, a significant action was taken
533 FF_NOTDELIVERED success, no significant action
534 FF_BLACKHOLE :blackhole:
535 FF_DEFER defer requested
536 FF_FAIL fail requested
537 FF_INCLUDEFAIL some problem with :include:
538 FF_FREEZE freeze requested
539 FF_ERROR there was a problem
540 FF_NONEXIST the file does not exist
541*/
542
543int
544rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
efd9a422
MH		 545 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
546 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
547 address_item **generated, uschar **error, error_block **eblockp,
548 int *filtertype, uschar *rname)
059ec3d9
PH		 549{
550int fd, rc, pfd[2];
551int yield, status;
552BOOL had_disaster = FALSE;
553pid_t pid;
554uschar *data;
555uschar *readerror = US"";
556void (*oldsignal)(int);
557
f3ebb786
JH		 558DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
559 rdata->isfile ? "file" : "string", string_printing(rdata->string));
059ec3d9
PH		 560
561/* Do the expansions of the file name or data first, while still privileged. */
562
f3ebb786 563if (!(data = expand_string(rdata->string)))
059ec3d9 564 {
8768d548 565 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
059ec3d9
PH		 566 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
567 expand_string_message);
568 return FF_ERROR;
569 }
570rdata->string = data;
571
0d2e392e
JH		 572DEBUG(D_route)
573 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
059ec3d9
PH		 574
575if (rdata->isfile && data[0] != '/')
576 {
577 *error = string_sprintf("\"%s\" is not an absolute path", data);
578 return FF_ERROR;
579 }
580
581/* If no uid/gid are supplied, or if we have a data string which does not start
582with #Exim filter or #Sieve filter, and does not contain :include:, do all the
583work in this process. Note that for a system filter, we always have a file, so
584the work is done in this process only if no user is supplied. */
585
586if (!ugid->uid_set || /* Either there's no uid, or */
587 (!rdata->isfile && /* We've got the data, and */
588 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
589 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
059ec3d9 590 return rda_extract(rdata, options, include_directory,
efd9a422
MH		 591 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
592 sieve_subaddress, generated, error, eblockp, filtertype);
059ec3d9
PH		 593
594/* We need to run the processing code in a sub-process. However, if we can
595determine the non-existence of a file first, we can decline without having to
596create the sub-process. */
597
598if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
599 return FF_NONEXIST;
600
601/* If the file does exist, or we can't tell (non-root mounted NFS directory)
602we have to create the subprocess to do everything as the given user. The
603results of processing are passed back via a pipe. */
604
605if (pipe(pfd) != 0)
606 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
607 ":include: failed for %s: %s", rname, strerror(errno));
608
609/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
610process can be waited for. We sometimes get here with it set otherwise. Save
af46795e
PH		 611the old state for resetting on the wait. Ensure that all cached resources are
612freed so that the subprocess starts with a clean slate and doesn't interfere
613with the parent process. */
059ec3d9
PH		 614
615oldsignal = signal(SIGCHLD, SIG_DFL);
af46795e
PH		 616search_tidyup();
617
059ec3d9
PH		 618if ((pid = fork()) == 0)
619 {
620 header_line *waslast = header_last; /* Save last header */
621
622 fd = pfd[pipe_write];
f1e894f3 623 (void)close(pfd[pipe_read]);
059ec3d9
PH		 624 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
625
626 /* Addresses can get rewritten in filters; if we are not root or the exim
627 user (and we probably are not), turn off rewrite logging, because we cannot
628 write to the log now. */
629
630 if (ugid->uid != root_uid && ugid->uid != exim_uid)
631 {
632 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
633 "root or exim in this process)\n");
6c6d6e48 634 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
059ec3d9
PH		 635 }
636
637 /* Now do the business */
638
639 yield = rda_extract(rdata, options, include_directory,
efd9a422
MH		 640 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
641 sieve_subaddress, generated, error, eblockp, filtertype);
059ec3d9
PH		 642
643 /* Pass back whether it was a filter, and the return code and any overall
644 error text via the pipe. */
645
847a015a
JH		 646 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
647 || write(fd, &yield, sizeof(int)) != sizeof(int)
1ac6b2e7
JH		 648 || rda_write_string(fd, *error) != 0
649 )
650 goto bad;
059ec3d9
PH		 651
652 /* Pass back the contents of any syntax error blocks if we have a pointer */
653
d7978c0f 654 if (eblockp)
059ec3d9 655 {
d7978c0f 656 for (error_block * ep = *eblockp; ep; ep = ep->next)
1ac6b2e7
JH		 657 if ( rda_write_string(fd, ep->text1) != 0
658 || rda_write_string(fd, ep->text2) != 0
659 )
660 goto bad;
661 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
662 goto bad;
059ec3d9
PH		 663 }
664
665 /* If this is a system filter, we have to pass back the numbers of any
666 original header lines that were removed, and then any header lines that were
667 added but not subsequently removed. */
668
8768d548 669 if (f.system_filtering)
059ec3d9
PH		 670 {
671 int i = 0;
d7978c0f 672 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
1ac6b2e7 673 if ( h->type == htype_old
847a015a 674 && write(fd, &i, sizeof(i)) != sizeof(i)
1ac6b2e7
JH		 675 )
676 goto bad;
677
059ec3d9 678 i = -1;
847a015a 679 if (write(fd, &i, sizeof(i)) != sizeof(i))
1ac6b2e7 680 goto bad;
059ec3d9
PH		 681
682 while (waslast != header_last)
683 {
684 waslast = waslast->next;
685 if (waslast->type != htype_old)
1ac6b2e7 686 if ( rda_write_string(fd, waslast->text) != 0
847a015a 687 || write(fd, &(waslast->type), sizeof(waslast->type))
1ac6b2e7
JH		 688 != sizeof(waslast->type)
689 )
690 goto bad;
059ec3d9 691 }
1ac6b2e7
JH		 692 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
693 goto bad;
059ec3d9
PH		 694 }
695
696 /* Write the contents of the $n variables */
697
847a015a 698 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
1ac6b2e7 699 goto bad;
059ec3d9
PH		 700
701 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
702 addresses, and their associated information, through the pipe. This is
703 just tedious, but it seems to be the only safe way. We do this also for
704 FAIL and FREEZE, because a filter is allowed to set up deliveries that
705 are honoured before freezing or failing. */
706
707 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
708 yield == FF_FAIL || yield == FF_FREEZE)
709 {
d7978c0f 710 for (address_item * addr = *generated; addr; addr = addr->next)
059ec3d9
PH		 711 {
712 int reply_options = 0;
25beaee4 713 int ig_err = addr->prop.ignore_error ? 1 : 0;
059ec3d9 714
1ac6b2e7 715 if ( rda_write_string(fd, addr->address) != 0
847a015a
JH		 716 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
717 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
d43cbe25 718 || rda_write_string(fd, addr->prop.errors_address) != 0
847a015a 719 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
1ac6b2e7
JH		 720 )
721 goto bad;
059ec3d9 722
7eb0e5d2 723 if (addr->pipe_expandn)
d7978c0f 724 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
1ac6b2e7
JH		 725 if (rda_write_string(fd, *pp) != 0)
726 goto bad;
1ac6b2e7
JH		 727 if (rda_write_string(fd, NULL) != 0)
728 goto bad;
059ec3d9 729
7eb0e5d2 730 if (!addr->reply)
1ac6b2e7 731 {
847a015a 732 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
1ac6b2e7
JH		 733 goto bad;
734 }
059ec3d9
PH		 735 else
736 {
737 reply_options |= REPLY_EXISTS;
738 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
739 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
847a015a
JH		 740 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
741 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
1ac6b2e7 742 != sizeof(int)
847a015a 743 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
1ac6b2e7
JH		 744 != sizeof(time_t)
745 || rda_write_string(fd, addr->reply->to) != 0
746 || rda_write_string(fd, addr->reply->cc) != 0
747 || rda_write_string(fd, addr->reply->bcc) != 0
748 || rda_write_string(fd, addr->reply->from) != 0
749 || rda_write_string(fd, addr->reply->reply_to) != 0
750 || rda_write_string(fd, addr->reply->subject) != 0
751 || rda_write_string(fd, addr->reply->headers) != 0
752 || rda_write_string(fd, addr->reply->text) != 0
753 || rda_write_string(fd, addr->reply->file) != 0
754 || rda_write_string(fd, addr->reply->logfile) != 0
755 || rda_write_string(fd, addr->reply->oncelog) != 0
756 )
757 goto bad;
059ec3d9
PH		 758 }
759 }
760
1ac6b2e7
JH		 761 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
762 goto bad;
059ec3d9
PH		 763 }
764
af46795e
PH		 765 /* OK, this process is now done. Free any cached resources. Must use _exit()
766 and not exit() !! */
059ec3d9 767
1ac6b2e7 768out:
f1e894f3 769 (void)close(fd);
af46795e 770 search_tidyup();
afd5e75f 771 exim_underbar_exit(0, US"rda");
1ac6b2e7
JH		 772
773bad:
774 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
775 goto out;
059ec3d9
PH		 776 }
777
778/* Back in the main process: panic if the fork did not succeed. */
779
780if (pid < 0)
781 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
782
783/* Read the pipe to get the data from the filter/forward. Our copy of the
784writing end must be closed first, as otherwise read() won't return zero on an
785empty pipe. Afterwards, close the reading end. */
786
f1e894f3 787(void)close(pfd[pipe_write]);
059ec3d9
PH		 788
789/* Read initial data, including yield and contents of *error */
790
791fd = pfd[pipe_read];
847a015a
JH		 792if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
793 read(fd, &yield, sizeof(int)) != sizeof(int) ||
059ec3d9
PH		 794 !rda_read_string(fd, error)) goto DISASTER;
795
059ec3d9
PH		 796/* Read the contents of any syntax error blocks if we have a pointer */
797
8cfd0f7b 798if (eblockp)
059ec3d9 799 {
059ec3d9 800 error_block *e;
d7978c0f 801 for (error_block ** p = eblockp; ; p = &e->next)
059ec3d9 802 {
8cfd0f7b 803 uschar *s;
059ec3d9 804 if (!rda_read_string(fd, &s)) goto DISASTER;
8cfd0f7b 805 if (!s) break;
f3ebb786 806 e = store_get(sizeof(error_block), FALSE);
059ec3d9
PH		 807 e->next = NULL;
808 e->text1 = s;
809 if (!rda_read_string(fd, &s)) goto DISASTER;
810 e->text2 = s;
811 *p = e;
059ec3d9
PH		 812 }
813 }
814
815/* If this is a system filter, read the identify of any original header lines
816that were removed, and then read data for any new ones that were added. */
817
8768d548 818if (f.system_filtering)
059ec3d9
PH		 819 {
820 int hn = 0;
821 header_line *h = header_list;
822
823 for (;;)
824 {
825 int n;
847a015a 826 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
059ec3d9
PH		 827 if (n < 0) break;
828 while (hn < n)
829 {
830 hn++;
8cfd0f7b 831 if (!(h = h->next)) goto DISASTER_NO_HEADER;
059ec3d9
PH		 832 }
833 h->type = htype_old;
834 }
835
836 for (;;)
837 {
838 uschar *s;
839 int type;
840 if (!rda_read_string(fd, &s)) goto DISASTER;
8cfd0f7b 841 if (!s) break;
847a015a 842 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
059ec3d9
PH		 843 header_add(type, "%s", s);
844 }
845 }
846
847/* Read the values of the $n variables */
848
847a015a 849if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
059ec3d9
PH		 850
851/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
852addresses and data to go with them. Keep them in the same order in the
853generated chain. */
854
855if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
856 yield == FF_FAIL || yield == FF_FREEZE)
857 {
858 address_item **nextp = generated;
859
860 for (;;)
861 {
862 int i, reply_options;
863 address_item *addr;
864 uschar *recipient;
865 uschar *expandn[EXPAND_MAXN + 2];
866
867 /* First string is the address; NULL => end of addresses */
868
869 if (!rda_read_string(fd, &recipient)) goto DISASTER;
f3ebb786 870 if (!recipient) break;
059ec3d9
PH		 871
872 /* Hang on the end of the chain */
873
874 addr = deliver_make_addr(recipient, FALSE);
875 *nextp = addr;
876 nextp = &(addr->next);
877
878 /* Next comes the mode and the flags fields */
879
847a015a
JH		 880 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
881 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
25beaee4 882 || !rda_read_string(fd, &addr->prop.errors_address)
847a015a 883 || read(fd, &i, sizeof(i)) != sizeof(i)
25beaee4
MK		 884 )
885 goto DISASTER;
886 addr->prop.ignore_error = (i != 0);
059ec3d9
PH		 887
888 /* Next comes a possible setting for $thisaddress and any numerical
889 variables for pipe expansion, terminated by a NULL string. The maximum
890 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
891 into the zeroth item in the vector - this is sorted out inside the pipe
892 transport. */
893
894 for (i = 0; i < EXPAND_MAXN + 1; i++)
895 {
896 uschar *temp;
897 if (!rda_read_string(fd, &temp)) goto DISASTER;
898 if (i == 0) filter_thisaddress = temp; /* Just in case */
899 expandn[i] = temp;
900 if (temp == NULL) break;
901 }
902
903 if (i > 0)
904 {
f3ebb786 905 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
059ec3d9
PH		 906 addr->pipe_expandn[i] = NULL;
907 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
908 }
909
910 /* Then an int containing reply options; zero => no reply data. */
911
847a015a 912 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
059ec3d9
PH		 913 if ((reply_options & REPLY_EXISTS) != 0)
914 {
f3ebb786 915 addr->reply = store_get(sizeof(reply_item), FALSE);
059ec3d9
PH		 916
917 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
918 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
919
847a015a 920 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
059ec3d9 921 sizeof(int) ||
847a015a 922 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
059ec3d9 923 sizeof(time_t) ||
7d99cba1
JH		 924 !rda_read_string(fd, &addr->reply->to) ||
925 !rda_read_string(fd, &addr->reply->cc) ||
926 !rda_read_string(fd, &addr->reply->bcc) ||
927 !rda_read_string(fd, &addr->reply->from) ||
928 !rda_read_string(fd, &addr->reply->reply_to) ||
929 !rda_read_string(fd, &addr->reply->subject) ||
930 !rda_read_string(fd, &addr->reply->headers) ||
931 !rda_read_string(fd, &addr->reply->text) ||
932 !rda_read_string(fd, &addr->reply->file) ||
933 !rda_read_string(fd, &addr->reply->logfile) ||
934 !rda_read_string(fd, &addr->reply->oncelog))
059ec3d9
PH		 935 goto DISASTER;
936 }
937 }
938 }
939
940/* All data has been transferred from the sub-process. Reap it, close the
941reading end of the pipe, and we are done. */
942
943WAIT_EXIT:
944while ((rc = wait(&status)) != pid)
059ec3d9
PH		 945 if (rc < 0 && errno == ECHILD) /* Process has vanished */
946 {
947 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
948 goto FINAL_EXIT;
949 }
059ec3d9 950
1921d2ea
PH		 951DEBUG(D_route)
952 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
953
059ec3d9
PH		 954if (had_disaster)
955 {
956 *error = string_sprintf("internal problem in %s: failure to transfer "
957 "data from subprocess: status=%04x%s%s%s", rname,
958 status, readerror,
959 (*error == NULL)? US"" : US": error=",
960 (*error == NULL)? US"" : *error);
961 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
962 }
963else if (status != 0)
964 {
965 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
966 "%04x from redirect subprocess (but data correctly received)", rname,
967 status);
968 }
969
970FINAL_EXIT:
f1e894f3 971(void)close(fd);
059ec3d9
PH		 972signal(SIGCHLD, oldsignal); /* restore */
973return yield;
974
975
976/* Come here if the data indicates removal of a header that we can't find */
977
978DISASTER_NO_HEADER:
979readerror = US" readerror=bad header identifier";
980had_disaster = TRUE;
981yield = FF_ERROR;
982goto WAIT_EXIT;
983
984/* Come here is there's a shambles in transferring the data over the pipe. The
985value of errno should still be set. */
986
987DISASTER:
988readerror = string_sprintf(" readerror='%s'", strerror(errno));
989had_disaster = TRUE;
990yield = FF_ERROR;
991goto WAIT_EXIT;
992}
993
994/* End of rda.c */
Unnamed repository; edit this file 'description' to name the repository.