projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Lookups: ret=key option
[exim.git] / src / src / parse.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9 /* Functions for parsing addresses */
10
11
12 #include "exim.h"
13
14
15 static uschar *last_comment_position;
16
17
18
19 /* In stand-alone mode, provide a replacement for deliver_make_addr()
20 and rewrite_address[_qualify]() so as to avoid having to drag in too much
21 redundant apparatus. */
22
23 #ifdef STAND_ALONE
24
25 address_item *deliver_make_addr(uschar *address, BOOL copy)
26 {
27 address_item *addr = store_get(sizeof(address_item), FALSE);
28 addr->next = NULL;
29 addr->parent = NULL;
30 addr->address = address;
31 return addr;
32 }
33
34 uschar *rewrite_address(uschar *recipient, BOOL dummy1, BOOL dummy2, rewrite_rule
35 *dummy3, int dummy4)
36 {
37 return recipient;
38 }
39
40 uschar *rewrite_address_qualify(uschar *recipient, BOOL dummy1)
41 {
42 return recipient;
43 }
44
45 #endif
46
47
48
49
50 /*************************************************
51 * Find the end of an address *
52 *************************************************/
53
54 /* Scan over a string looking for the termination of an address at a comma,
55 or end of the string. It's the source-routed addresses which cause much pain
56 here. Although Exim ignores source routes, it must recognize such addresses, so
57 we cannot get rid of this logic.
58
59 Argument:
60 s pointer to the start of an address
61 nl_ends if TRUE, '\n' terminates an address
62
63 Returns: pointer past the end of the address
64 (i.e. points to null or comma)
65 */
66
67 uschar *
68 parse_find_address_end(uschar *s, BOOL nl_ends)
69 {
70 BOOL source_routing = *s == '@';
71 int no_term = source_routing? 1 : 0;
72
73 while (*s != 0 && (*s != ',' || no_term > 0) && (*s != '\n' || !nl_ends))
74 {
75 /* Skip single quoted characters. Strictly these should not occur outside
76 quoted strings in RFC 822 addresses, but they can in RFC 821 addresses. Pity
77 about the lack of consistency, isn't it? */
78
79 if (*s == '\\' && s[1] != 0) s += 2;
80
81 /* Skip quoted items that are not inside brackets. Note that
82 quoted pairs are allowed inside quoted strings. */
83
84 else if (*s == '\"')
85 {
86 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
87 {
88 if (*s == '\\' && s[1] != 0) s++;
89 else if (*s == '\"') { s++; break; }
90 }
91 }
92
93 /* Skip comments, which may include nested brackets, but quotes
94 are not recognized inside comments, though quoted pairs are. */
95
96 else if (*s == '(')
97 {
98 int level = 1;
99 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
100 {
101 if (*s == '\\' && s[1] != 0) s++;
102 else if (*s == '(') level++;
103 else if (*s == ')' && --level <= 0) { s++; break; }
104 }
105 }
106
107 /* Non-special character; just advance. Passing the colon in a source
108 routed address means that any subsequent comma or colon may terminate unless
109 inside angle brackets. */
110
111 else
112 {
113 if (*s == '<')
114 {
115 source_routing = s[1] == '@';
116 no_term = source_routing? 2 : 1;
117 }
118 else if (*s == '>') no_term--;
119 else if (source_routing && *s == ':') no_term--;
120 s++;
121 }
122 }
123
124 return s;
125 }
126
127
128
129 /*************************************************
130 * Find last @ in an address *
131 *************************************************/
132
133 /* This function is used when we have something that may not qualified. If we
134 know it's qualified, searching for the rightmost '@' is sufficient. Here we
135 have to be a bit more clever than just a plain search, in order to handle
136 unqualified local parts like "thing@thong" correctly. Since quotes may not
137 legally be part of a domain name, we can give up on hitting the first quote
138 when searching from the right. Now that the parsing also permits the RFC 821
139 form of address, where quoted-pairs are allowed in unquoted local parts, we
140 must take care to handle that too.
141
142 Argument: pointer to an address, possibly unqualified
143 Returns: pointer to the last @ in an address, or NULL if none
144 */
145
146 uschar *
147 parse_find_at(uschar *s)
148 {
149 uschar *t = s + Ustrlen(s);
150 while (--t >= s)
151 {
152 if (*t == '@')
153 {
154 int backslash_count = 0;
155 uschar *tt = t - 1;
156 while (tt > s && *tt-- == '\\') backslash_count++;
157 if ((backslash_count & 1) == 0) return t;
158 }
159 else if (*t == '\"') return NULL;
160 }
161 return NULL;
162 }
163
164
165
166
167 /***************************************************************************
168 * In all the functions below that read a particular object type from *
169 * the input, return the new value of the pointer s (the first argument), *
170 * and put the object into the store pointed to by t (the second argument), *
171 * adding a terminating zero. If no object is found, t will point to zero *
172 * on return. *
173 ***************************************************************************/
174
175
176 /*************************************************
177 * Skip white space and comment *
178 *************************************************/
179
180 /* Algorithm:
181 (1) Skip spaces.
182 (2) If uschar not '(', return.
183 (3) Skip till matching ')', not counting any characters
184 escaped with '\'.
185 (4) Move past ')' and goto (1).
186
187 The start of the last potential comment position is remembered to
188 make it possible to ignore comments at the end of compound items.
189
190 Argument: current character pointer
191 Returns: new character pointer
192 */
193
194 static uschar *
195 skip_comment(uschar *s)
196 {
197 last_comment_position = s;
198 while (*s)
199 {
200 int c, level;
201
202 if (Uskip_whitespace(&s) != '(') break;
203 level = 1;
204 while((c = *(++s)))
205 {
206 if (c == '(') level++;
207 else if (c == ')') { if (--level <= 0) { s++; break; } }
208 else if (c == '\\' && s[1] != 0) s++;
209 }
210 }
211 return s;
212 }
213
214
215
216 /*************************************************
217 * Read a domain *
218 *************************************************/
219
220 /* A domain is a sequence of subdomains, separated by dots. See comments below
221 for detailed syntax of the subdomains.
222
223 If allow_domain_literals is TRUE, a "domain" may also be an IP address enclosed
224 in []. Make sure the output is set to the null string if there is a syntax
225 error as well as if there is no domain at all.
226
227 Arguments:
228 s current character pointer
229 t where to put the domain
230 errorptr put error message here on failure (*t will be 0 on exit)
231
232 Returns: new character pointer
233 */
234
235 static uschar *
236 read_domain(uschar *s, uschar *t, uschar **errorptr)
237 {
238 uschar *tt = t;
239 s = skip_comment(s);
240
241 /* Handle domain literals if permitted. An RFC 822 domain literal may contain
242 any character except [ ] \, including linear white space, and may contain
243 quoted characters. However, RFC 821 restricts literals to being dot-separated
244 3-digit numbers, and we make the obvious extension for IPv6. Go for a sequence
245 of digits, dots, hex digits, and colons here; later this will be checked for
246 being a syntactically valid IP address if it ever gets to a router.
247
248 Allow both the formal IPv6 form, with IPV6: at the start, and the informal form
249 without it, and accept IPV4: as well, 'cause someone will use it sooner or
250 later. */
251
252 if (*s == '[')
253 {
254 *t++ = *s++;
255
256 if (strncmpic(s, US"IPv6:", 5) == 0 || strncmpic(s, US"IPv4:", 5) == 0)
257 {
258 memcpy(t, s, 5);
259 t += 5;
260 s += 5;
261 }
262 while (*s == '.' || *s == ':' || isxdigit(*s)) *t++ = *s++;
263
264 if (*s == ']') *t++ = *s++; else
265 {
266 *errorptr = US"malformed domain literal";
267 *tt = 0;
268 }
269
270 if (!allow_domain_literals)
271 {
272 *errorptr = US"domain literals not allowed";
273 *tt = 0;
274 }
275 *t = 0;
276 return skip_comment(s);
277 }
278
279 /* Handle a proper domain, which is a sequence of dot-separated atoms. Remove
280 trailing dots if strip_trailing_dot is set. A subdomain is an atom.
281
282 An atom is a sequence of any characters except specials, space, and controls.
283 The specials are ( ) < > @ , ; : \ " . [ and ]. This is the rule for RFC 822
284 and its successor (RFC 2822). However, RFC 821 and its successor (RFC 2821) is
285 tighter, allowing only letters, digits, and hyphens, not starting with a
286 hyphen.
287
288 There used to be a global flag that got set when checking addresses that came
289 in over SMTP and which should therefore should be checked according to the
290 stricter rule. However, it seems silly to make the distinction, because I don't
291 suppose anybody ever uses local domains that are 822-compliant and not
292 821-compliant. Furthermore, Exim now has additional data on the spool file line
293 after an address (after "one_time" processing), and it makes use of a #
294 character to delimit it. When I wrote that code, I forgot about this 822-domain
295 stuff, and assumed # could never appear in a domain.
296
297 So the old code is now cut out for Release 4.11 onwards, on 09-Aug-02. In a few
298 years, when we are sure this isn't actually causing trouble, throw it away.
299
300 March 2003: the story continues: There is a camp that is arguing for the use of
301 UTF-8 in domain names as the way to internationalization, and other MTAs
302 support this. Therefore, we now have a flag that permits the use of characters
303 with values greater than 127, encoded in UTF-8, in subdomains, so that Exim can
304 be used experimentally in this way. */
305
306 for (;;)
307 {
308 uschar *tsave = t;
309
310 /*********************
311 if (rfc821_domains)
312 {
313 if (*s != '-') while (isalnum(*s) || *s == '-') *t++ = *s++;
314 }
315 else
316 while (!mac_iscntrl_or_special(*s)) *t++ = *s++;
317 *********************/
318
319 if (*s != '-')
320 {
321 /* Only letters, digits, and hyphens */
322
323 if (!allow_utf8_domains)
324 {
325 while (isalnum(*s) || *s == '-') *t++ = *s++;
326 }
327
328 /* Permit legal UTF-8 characters to be included */
329
330 else for(;;)
331 {
332 int i, d;
333 if (isalnum(*s) || *s == '-') /* legal ascii characters */
334 {
335 *t++ = *s++;
336 continue;
337 }
338 if ((*s & 0xc0) != 0xc0) break; /* not start of UTF-8 character */
339 d = *s << 2;
340 for (i = 1; i < 6; i++) /* i is the number of additional bytes */
341 {
342 if ((d & 0x80) == 0) break;
343 d <<= 1;
344 }
345 if (i == 6) goto BAD_UTF8; /* invalid UTF-8 */
346 *t++ = *s++; /* leading UTF-8 byte */
347 while (i-- > 0) /* copy and check remainder */
348 {
349 if ((*s & 0xc0) != 0x80)
350 {
351 BAD_UTF8:
352 *errorptr = US"invalid UTF-8 byte sequence";
353 *tt = 0;
354 return s;
355 }
356 *t++ = *s++;
357 }
358 } /* End of loop for UTF-8 character */
359 } /* End of subdomain */
360
361 s = skip_comment(s);
362 *t = 0;
363
364 if (t == tsave) /* empty component */
365 {
366 if (strip_trailing_dot && t > tt && *s != '.') t[-1] = 0; else
367 {
368 *errorptr = US"domain missing or malformed";
369 *tt = 0;
370 }
371 return s;
372 }
373
374 if (*s != '.') break;
375 *t++ = *s++;
376 s = skip_comment(s);
377 }
378
379 return s;
380 }
381
382
383
384 /*************************************************
385 * Read a local-part *
386 *************************************************/
387
388 /* A local-part is a sequence of words, separated by periods. A null word
389 between dots is not strictly allowed but apparently many mailers permit it,
390 so, sigh, better be compatible. Even accept a trailing dot...
391
392 A <word> is either a quoted string, or an <atom>, which is a sequence
393 of any characters except specials, space, and controls. The specials are
394 ( ) < > @ , ; : \ " . [ and ]. In RFC 822, a single quoted character, (a
395 quoted-pair) is not allowed in a word. However, in RFC 821, it is permitted in
396 the local part of an address. Rather than have separate parsing functions for
397 the different cases, take the liberal attitude always. At least one MUA is
398 happy to recognize this case; I don't know how many other programs do.
399
400 Arguments:
401 s current character pointer
402 t where to put the local part
403 error where to point error text
404 allow_null TRUE if an empty local part is not an error
405
406 Returns: new character pointer
407 */
408
409 static uschar *
410 read_local_part(uschar *s, uschar *t, uschar **error, BOOL allow_null)
411 {
412 uschar *tt = t;
413 *error = NULL;
414 for (;;)
415 {
416 int c;
417 uschar *tsave = t;
418 s = skip_comment(s);
419
420 /* Handle a quoted string */
421
422 if (*s == '\"')
423 {
424 *t++ = '\"';
425 while ((c = *++s) && c != '\"')
426 {
427 *t++ = c;
428 if (c == '\\' && s[1]) *t++ = *++s;
429 }
430 if (c == '\"')
431 {
432 s++;
433 *t++ = '\"';
434 }
435 else
436 {
437 *error = US"unmatched doublequote in local part";
438 return s;
439 }
440 }
441
442 /* Handle an atom, but allow quoted pairs within it. */
443
444 else while (!mac_iscntrl_or_special(*s) || *s == '\\')
445 {
446 c = *t++ = *s++;
447 if (c == '\\' && *s) *t++ = *s++;
448 }
449
450 /* Terminate the word and skip subsequent comment */
451
452 *t = 0;
453 s = skip_comment(s);
454
455 /* If we have read a null component at this point, give an error unless it is
456 terminated by a dot - an extension to RFC 822 - or if it is the first
457 component of the local part and an empty local part is permitted, in which
458 case just return normally. */
459
460 if (t == tsave && *s != '.')
461 {
462 if (t == tt && !allow_null)
463 *error = US"missing or malformed local part";
464 return s;
465 }
466
467 /* Anything other than a dot terminates the local part. Treat multiple dots
468 as a single dot, as this seems to be a common extension. */
469
470 if (*s != '.') break;
471 do { *t++ = *s++; } while (*s == '.');
472 }
473
474 return s;
475 }
476
477
478 /*************************************************
479 * Read route part of route-addr *
480 *************************************************/
481
482 /* The pointer is at the initial "@" on entry. Return it following the
483 terminating colon. Exim no longer supports the use of source routes, but it is
484 required to accept the syntax.
485
486 Arguments:
487 s current character pointer
488 t where to put the route
489 errorptr where to put an error message
490
491 Returns: new character pointer
492 */
493
494 static uschar *
495 read_route(uschar *s, uschar *t, uschar **errorptr)
496 {
497 BOOL commas = FALSE;
498 *errorptr = NULL;
499
500 while (*s == '@')
501 {
502 *t++ = '@';
503 s = read_domain(s+1, t, errorptr);
504 if (*t == 0) return s;
505 t += Ustrlen((const uschar *)t);
506 if (*s != ',') break;
507 *t++ = *s++;
508 commas = TRUE;
509 s = skip_comment(s);
510 }
511
512 if (*s == ':') *t++ = *s++;
513
514 /* If there is no colon, and there were no commas, the most likely error
515 is in fact a missing local part in the address rather than a missing colon
516 after the route. */
517
518 else *errorptr = commas?
519 US"colon expected after route list" :
520 US"no local part";
521
522 /* Terminate the route and return */
523
524 *t = 0;
525 return skip_comment(s);
526 }
527
528
529
530 /*************************************************
531 * Read addr-spec *
532 *************************************************/
533
534 /* Addr-spec is local-part@domain. We make the domain optional -
535 the expected terminator for the whole thing is passed to check this.
536 This function is called only when we know we have a route-addr.
537
538 Arguments:
539 s current character pointer
540 t where to put the addr-spec
541 term expected terminator (0 or >)
542 errorptr where to put an error message
543 domainptr set to point to the start of the domain
544
545 Returns: new character pointer
546 */
547
548 static uschar *
549 read_addr_spec(uschar *s, uschar *t, int term, uschar **errorptr,
550 uschar **domainptr)
551 {
552 s = read_local_part(s, t, errorptr, FALSE);
553 if (*errorptr == NULL)
554 if (*s != term)
555 if (*s != '@')
556 *errorptr = string_sprintf("\"@\" or \".\" expected after \"%s\"", t);
557 else
558 {
559 t += Ustrlen((const uschar *)t);
560 *t++ = *s++;
561 *domainptr = t;
562 s = read_domain(s, t, errorptr);
563 }
564 return s;
565 }
566
567
568
569 /*************************************************
570 * Extract operative address *
571 *************************************************/
572
573 /* This function extracts an operative address from a full RFC822 mailbox and
574 returns it in a piece of dynamic store. We take the easy way and get a piece
575 of store the same size as the input, and then copy into it whatever is
576 necessary. If we cannot find a valid address (syntax error), return NULL, and
577 point the error pointer to the reason. The arguments "start" and "end" are used
578 to return the offsets of the first and one past the last characters in the
579 original mailbox of the address that has been extracted, to aid in re-writing.
580 The argument "domain" is set to point to the first character after "@" in the
581 final part of the returned address, or zero if there is no @.
582
583 Exim no longer supports the use of source routed addresses (those of the form
584 @domain,...:route_addr). It recognizes the syntax, but collapses such addresses
585 down to their final components. Formerly, collapse_source_routes had to be set
586 to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
587 of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
588 a lot of code elsewhere in Exim much simpler.
589
590 There are some special fudges here for handling RFC 822 group address notation
591 which may appear in certain headers. If the flag parse_allow_group is set
592 TRUE and parse_found_group is FALSE when this function is called, an address
593 which is the start of a group (i.e. preceded by a phrase and a colon) is
594 recognized; the phrase is ignored and the flag parse_found_group is set. If
595 this flag is TRUE at the end of an address, and if an extraneous semicolon is
596 found, it is ignored and the flag is cleared.
597
598 This logic is used only when scanning through addresses in headers, either to
599 fulfil the -t option, or for rewriting, or for checking header syntax. Because
600 the group "state" has to be remembered between multiple calls of this function,
601 the variables parse_{allow,found}_group are global. It is important to ensure
602 that they are reset to FALSE at the end of scanning a header's list of
603 addresses.
604
605 Arguments:
606 mailbox points to the RFC822 mailbox
607 errorptr where to point an error message
608 start set to start offset in mailbox
609 end set to end offset in mailbox
610 domain set to domain offset in result, or 0 if no domain present
611 allow_null allow <> if TRUE
612
613 Returns: points to the extracted address, or NULL on error
614 */
615
616 #define FAILED(s) { *errorptr = s; goto PARSE_FAILED; }
617
618 uschar *
619 parse_extract_address(uschar *mailbox, uschar **errorptr, int *start, int *end,
620 int *domain, BOOL allow_null)
621 {
622 uschar *yield = store_get(Ustrlen(mailbox) + 1, is_tainted(mailbox));
623 uschar *startptr, *endptr;
624 uschar *s = US mailbox;
625 uschar *t = US yield;
626
627 *domain = 0;
628
629 /* At the start of the string we expect either an addr-spec or a phrase
630 preceding a <route-addr>. If groups are allowed, we might also find a phrase
631 preceding a colon and an address. If we find an initial word followed by
632 a dot, strict interpretation of the RFC would cause it to be taken
633 as the start of an addr-spec. However, many mailers break the rules
634 and use addresses of the form "a.n.other <ano@somewhere>" and so we
635 allow this case. */
636
637 RESTART: /* Come back here after passing a group name */
638
639 s = skip_comment(s);
640 startptr = s; /* In case addr-spec */
641 s = read_local_part(s, t, errorptr, TRUE); /* Dot separated words */
642 if (*errorptr) goto PARSE_FAILED;
643
644 /* If the terminator is neither < nor @ then the format of the address
645 must either be a bare local-part (we are now at the end), or a phrase
646 followed by a route-addr (more words must follow). */
647
648 if (*s != '@' && *s != '<')
649 {
650 if (*s == 0 || *s == ';')
651 {
652 if (*t == 0) FAILED(US"empty address");
653 endptr = last_comment_position;
654 goto PARSE_SUCCEEDED; /* Bare local part */
655 }
656
657 /* Expect phrase route-addr, or phrase : if groups permitted, but allow
658 dots in the phrase; complete the loop only when '<' or ':' is encountered -
659 end of string will produce a null local_part and therefore fail. We don't
660 need to keep updating t, as the phrase isn't to be kept. */
661
662 while (*s != '<' && (!f.parse_allow_group || *s != ':'))
663 {
664 s = read_local_part(s, t, errorptr, FALSE);
665 if (*errorptr)
666 {
667 *errorptr = string_sprintf("%s (expected word or \"<\")", *errorptr);
668 goto PARSE_FAILED;
669 }
670 }
671
672 if (*s == ':')
673 {
674 f.parse_found_group = TRUE;
675 f.parse_allow_group = FALSE;
676 s++;
677 goto RESTART;
678 }
679
680 /* Assert *s == '<' */
681 }
682
683 /* At this point the next character is either '@' or '<'. If it is '@', only a
684 single local-part has previously been read. An angle bracket signifies the
685 start of an <addr-spec>. Throw away anything we have saved so far before
686 processing it. Note that this is "if" rather than "else if" because it's also
687 used after reading a preceding phrase.
688
689 There are a lot of broken sendmails out there that put additional pairs of <>
690 round <route-addr>s. If strip_excess_angle_brackets is set, allow a limited
691 number of them, as long as they match. */
692
693 if (*s == '<')
694 {
695 uschar *domainptr = yield;
696 BOOL source_routed = FALSE;
697 int bracket_count = 1;
698
699 s++;
700 if (strip_excess_angle_brackets) while (*s == '<')
701 {
702 if(bracket_count++ > 5) FAILED(US"angle-brackets nested too deep");
703 s++;
704 }
705
706 t = yield;
707 startptr = s;
708 s = skip_comment(s);
709
710 /* Read an optional series of routes, each of which is a domain. They
711 are separated by commas and terminated by a colon. However, we totally ignore
712 such routes (RFC 1123 says we MAY, and the revision of RFC 821 says we
713 SHOULD). */
714
715 if (*s == '@')
716 {
717 s = read_route(s, t, errorptr);
718 if (*errorptr) goto PARSE_FAILED;
719 *t = 0; /* Ensure route is ignored - probably overkill */
720 source_routed = TRUE;
721 }
722
723 /* Now an addr-spec, terminated by '>'. If there is no preceding route,
724 we must allow an empty addr-spec if allow_null is TRUE, to permit the
725 address "<>" in some circumstances. A source-routed address MUST have
726 a domain in the final part. */
727
728 if (allow_null && !source_routed && *s == '>')
729 {
730 *t = 0;
731 *errorptr = NULL;
732 }
733 else
734 {
735 s = read_addr_spec(s, t, '>', errorptr, &domainptr);
736 if (*errorptr) goto PARSE_FAILED;
737 *domain = domainptr - yield;
738 if (source_routed && *domain == 0)
739 FAILED(US"domain missing in source-routed address");
740 }
741
742 endptr = s;
743 if (*errorptr != NULL) goto PARSE_FAILED;
744 while (bracket_count-- > 0) if (*s++ != '>')
745 {
746 *errorptr = s[-1] == 0
747 ? US"'>' missing at end of address"
748 : string_sprintf("malformed address: %.32s may not follow %.*s",
749 s-1, (int)(s - US mailbox - 1), mailbox);
750 goto PARSE_FAILED;
751 }
752
753 s = skip_comment(s);
754 }
755
756 /* Hitting '@' after the first local-part means we have definitely got an
757 addr-spec, on a strict reading of the RFC, and the rest of the string
758 should be the domain. However, for flexibility we allow for a route-address
759 not enclosed in <> as well, which is indicated by an empty first local
760 part preceding '@'. The source routing is, however, ignored. */
761
762 else if (*t == 0)
763 {
764 uschar *domainptr = yield;
765 s = read_route(s, t, errorptr);
766 if (*errorptr != NULL) goto PARSE_FAILED;
767 *t = 0; /* Ensure route is ignored - probably overkill */
768 s = read_addr_spec(s, t, 0, errorptr, &domainptr);
769 if (*errorptr != NULL) goto PARSE_FAILED;
770 *domain = domainptr - yield;
771 endptr = last_comment_position;
772 if (*domain == 0) FAILED(US"domain missing in source-routed address");
773 }
774
775 /* This is the strict case of local-part@domain. */
776
777 else
778 {
779 t += Ustrlen((const uschar *)t);
780 *t++ = *s++;
781 *domain = t - yield;
782 s = read_domain(s, t, errorptr);
783 if (*t == 0) goto PARSE_FAILED;
784 endptr = last_comment_position;
785 }
786
787 /* Use goto to get here from the bare local part case. Arrive by falling
788 through for other cases. Endptr may have been moved over whitespace, so
789 move it back past white space if necessary. */
790
791 PARSE_SUCCEEDED:
792 if (*s != 0)
793 {
794 if (f.parse_found_group && *s == ';')
795 {
796 f.parse_found_group = FALSE;
797 f.parse_allow_group = TRUE;
798 }
799 else
800 {
801 *errorptr = string_sprintf("malformed address: %.32s may not follow %.*s",
802 s, (int)(s - US mailbox), mailbox);
803 goto PARSE_FAILED;
804 }
805 }
806 *start = startptr - US mailbox; /* Return offsets */
807 while (isspace(endptr[-1])) endptr--;
808 *end = endptr - US mailbox;
809
810 /* Although this code has no limitation on the length of address extracted,
811 other parts of Exim may have limits, and in any case, RFC 2821 limits local
812 parts to 64 and domains to 255, so we do a check here, giving an error if the
813 address is ridiculously long. */
814
815 if (*end - *start > ADDRESS_MAXLENGTH)
816 {
817 *errorptr = string_sprintf("address is ridiculously long: %.64s...", yield);
818 return NULL;
819 }
820
821 return yield;
822
823 /* Use goto (via the macro FAILED) to get to here from a variety of places.
824 We might have an empty address in a group - the caller can choose to ignore
825 this. We must, however, keep the flags correct. */
826
827 PARSE_FAILED:
828 if (f.parse_found_group && *s == ';')
829 {
830 f.parse_found_group = FALSE;
831 f.parse_allow_group = TRUE;
832 }
833 return NULL;
834 }
835
836 #undef FAILED
837
838
839
840 /*************************************************
841 * Quote according to RFC 2047 *
842 *************************************************/
843
844 /* This function is used for quoting text in headers according to RFC 2047.
845 If the only characters that strictly need quoting are spaces, we return the
846 original string, unmodified. If a quoted string is too long for the buffer, it
847 is truncated. (This shouldn't happen: this is normally handling short strings.)
848
849 Hmmph. As always, things get perverted for other uses. This function was
850 originally for the "phrase" part of addresses. Now it is being used for much
851 longer texts in ACLs and via the ${rfc2047: expansion item. This means we have
852 to check for overlong "encoded-word"s and split them. November 2004.
853
854 Arguments:
855 string the string to quote - already checked to contain non-printing
856 chars
857 len the length of the string
858 charset the name of the character set; NULL => iso-8859-1
859 buffer the buffer to put the answer in
860 buffer_size the size of the buffer
861 fold if TRUE, a newline is inserted before the separating space when
862 more than one encoded-word is generated
863
864 Returns: pointer to the original string, if no quoting needed, or
865 pointer to buffer containing the quoted string, or
866 a pointer to "String too long" if the buffer can't even hold
867 the introduction
868 */
869
870 const uschar *
871 parse_quote_2047(const uschar *string, int len, uschar *charset, uschar *buffer,
872 int buffer_size, BOOL fold)
873 {
874 const uschar *s = string;
875 uschar *p, *t;
876 int hlen;
877 BOOL coded = FALSE;
878 BOOL first_byte = FALSE;
879
880 if (!charset) charset = US"iso-8859-1";
881
882 /* We don't expect this to fail! */
883
884 if (!string_format(buffer, buffer_size, "=?%s?Q?", charset))
885 return US"String too long";
886
887 hlen = Ustrlen(buffer);
888 t = buffer + hlen;
889 p = buffer;
890
891 for (; len > 0; len--)
892 {
893 int ch = *s++;
894 if (t > buffer + buffer_size - hlen - 8) break;
895
896 if ((t - p > 67) && !first_byte)
897 {
898 *t++ = '?';
899 *t++ = '=';
900 if (fold) *t++ = '\n';
901 *t++ = ' ';
902 p = t;
903 Ustrncpy(p, buffer, hlen);
904 t += hlen;
905 }
906
907 if (ch < 33 || ch > 126 ||
908 Ustrchr("?=()<>@,;:\\\".[]_", ch) != NULL)
909 {
910 if (ch == ' ')
911 {
912 *t++ = '_';
913 first_byte = FALSE;
914 }
915 else
916 {
917 t += sprintf(CS t, "=%02X", ch);
918 coded = TRUE;
919 first_byte = !first_byte;
920 }
921 }
922 else { *t++ = ch; first_byte = FALSE; }
923 }
924
925 *t++ = '?';
926 *t++ = '=';
927 *t = 0;
928
929 return coded ? buffer : string;
930 }
931
932
933
934
935 /*************************************************
936 * Fix up an RFC 822 "phrase" *
937 *************************************************/
938
939 /* This function is called to repair any syntactic defects in the "phrase" part
940 of an RFC822 address. In particular, it is applied to the user's name as read
941 from the passwd file when accepting a local message, and to the data from the
942 -F option.
943
944 If the string contains existing quoted strings or comments containing
945 freestanding quotes, then we just quote those bits that need quoting -
946 otherwise it would get awfully messy and probably not look good. If not, we
947 quote the whole thing if necessary. Thus
948
949 John Q. Smith => "John Q. Smith"
950 John "Jack" Smith => John "Jack" Smith
951 John "Jack" Q. Smith => John "Jack" "Q." Smith
952 John (Jack) Q. Smith => "John (Jack) Q. Smith"
953 John ("Jack") Q. Smith => John ("Jack") "Q." Smith
954 but
955 John (\"Jack\") Q. Smith => "John (\"Jack\") Q. Smith"
956
957 Sheesh! This is tedious code. It is a great pity that the syntax of RFC822 is
958 the way it is...
959
960 August 2000: Additional code added:
961
962 Previously, non-printing characters were turned into question marks, which do
963 not need to be quoted.
964
965 Now, a different tactic is used if there are any non-printing ASCII
966 characters. The encoding method from RFC 2047 is used, assuming iso-8859-1 as
967 the character set.
968
969 We *could* use this for all cases, getting rid of the messy original code,
970 but leave it for now. It would complicate simple cases like "John Q. Smith".
971
972 The result is passed back in the buffer; it is usually going to be added to
973 some other string. In order to be sure there is going to be no overflow,
974 restrict the length of the input to 1/4 of the buffer size - this allows for
975 every single character to be quoted or encoded without overflowing, and that
976 wouldn't happen because of amalgamation. If the phrase is too long, return a
977 fixed string.
978
979 Arguments:
980 phrase an RFC822 phrase
981 len the length of the phrase
982 buffer a buffer to put the result in
983 buffer_size the size of the buffer
984
985 Returns: the fixed RFC822 phrase
986 */
987
988 const uschar *
989 parse_fix_phrase(const uschar *phrase, int len, uschar *buffer, int buffer_size)
990 {
991 int ch, i;
992 BOOL quoted = FALSE;
993 const uschar *s, *end;
994 uschar *t, *yield;
995
996 while (len > 0 && isspace(*phrase)) { phrase++; len--; }
997 if (len > buffer_size/4) return US"Name too long";
998
999 /* See if there are any non-printing characters, and if so, use the RFC 2047
1000 encoding for the whole thing. */
1001
1002 for (i = 0, s = phrase; i < len; i++, s++)
1003 if ((*s < 32 && *s != '\t') || *s > 126) break;
1004
1005 if (i < len) return parse_quote_2047(phrase, len, headers_charset, buffer,
1006 buffer_size, FALSE);
1007
1008 /* No non-printers; use the RFC 822 quoting rules */
1009
1010 s = phrase;
1011 end = s + len;
1012 yield = t = buffer + 1;
1013
1014 while (s < end)
1015 {
1016 ch = *s++;
1017
1018 /* Copy over quoted strings, remembering we encountered one */
1019
1020 if (ch == '\"')
1021 {
1022 *t++ = '\"';
1023 while (s < end && (ch = *s++) != '\"')
1024 {
1025 *t++ = ch;
1026 if (ch == '\\' && s < end) *t++ = *s++;
1027 }
1028 *t++ = '\"';
1029 if (s >= end) break;
1030 quoted = TRUE;
1031 }
1032
1033 /* Copy over comments, noting if they contain freestanding quote
1034 characters */
1035
1036 else if (ch == '(')
1037 {
1038 int level = 1;
1039 *t++ = '(';
1040 while (s < end)
1041 {
1042 ch = *s++;
1043 *t++ = ch;
1044 if (ch == '(') level++;
1045 else if (ch == ')') { if (--level <= 0) break; }
1046 else if (ch == '\\' && s < end) *t++ = *s++ & 127;
1047 else if (ch == '\"') quoted = TRUE;
1048 }
1049 if (ch == 0)
1050 {
1051 while (level--) *t++ = ')';
1052 break;
1053 }
1054 }
1055
1056 /* Handle special characters that need to be quoted */
1057
1058 else if (Ustrchr(")<>@,;:\\.[]", ch) != NULL)
1059 {
1060 /* If hit previous quotes just make one quoted "word" */
1061
1062 if (quoted)
1063 {
1064 uschar *tt = t++;
1065 while (*(--tt) != ' ' && *tt != '\"' && *tt != ')') tt[1] = *tt;
1066 tt[1] = '\"';
1067 *t++ = ch;
1068 while (s < end)
1069 {
1070 ch = *s++;
1071 if (ch == ' ' || ch == '\"') { s--; break; } else *t++ = ch;
1072 }
1073 *t++ = '\"';
1074 }
1075
1076 /* Else quote the whole string so far, and the rest up to any following
1077 quotes. We must treat anything following a backslash as a literal. */
1078
1079 else
1080 {
1081 BOOL escaped = (ch == '\\');
1082 *(--yield) = '\"';
1083 *t++ = ch;
1084
1085 /* Now look for the end or a quote */
1086
1087 while (s < end)
1088 {
1089 ch = *s++;
1090
1091 /* Handle escaped pairs */
1092
1093 if (escaped)
1094 {
1095 *t++ = ch;
1096 escaped = FALSE;
1097 }
1098
1099 else if (ch == '\\')
1100 {
1101 *t++ = ch;
1102 escaped = TRUE;
1103 }
1104
1105 /* If hit subsequent quotes, insert our quote before any trailing
1106 spaces and back up to re-handle the quote in the outer loop. */
1107
1108 else if (ch == '\"')
1109 {
1110 int count = 0;
1111 while (t[-1] == ' ') { t--; count++; }
1112 *t++ = '\"';
1113 while (count-- > 0) *t++ = ' ';
1114 s--;
1115 break;
1116 }
1117
1118 /* If hit a subsequent comment, check it for unescaped quotes,
1119 and if so, end our quote before it. */
1120
1121 else if (ch == '(')
1122 {
1123 const uschar *ss = s; /* uschar after '(' */
1124 int level = 1;
1125 while(ss < end)
1126 {
1127 ch = *ss++;
1128 if (ch == '(') level++;
1129 else if (ch == ')') { if (--level <= 0) break; }
1130 else if (ch == '\\' && ss+1 < end) ss++;
1131 else if (ch == '\"') { quoted = TRUE; break; }
1132 }
1133
1134 /* Comment contains unescaped quotes; end our quote before
1135 the start of the comment. */
1136
1137 if (quoted)
1138 {
1139 int count = 0;
1140 while (t[-1] == ' ') { t--; count++; }
1141 *t++ = '\"';
1142 while (count-- > 0) *t++ = ' ';
1143 break;
1144 }
1145
1146 /* Comment does not contain unescaped quotes; include it in
1147 our quote. */
1148
1149 else
1150 {
1151 if (ss >= end) ss--;
1152 *t++ = '(';
1153 Ustrncpy(t, s, ss-s);
1154 t += ss-s;
1155 s = ss;
1156 }
1157 }
1158
1159 /* Not a comment or quote; include this character in our quotes. */
1160
1161 else *t++ = ch;
1162 }
1163 }
1164
1165 /* Add a final quote if we hit the end of the string. */
1166
1167 if (s >= end) *t++ = '\"';
1168 }
1169
1170 /* Non-special character; just copy it over */
1171
1172 else *t++ = ch;
1173 }
1174
1175 *t = 0;
1176 return yield;
1177 }
1178
1179
1180 /*************************************************
1181 * Extract addresses from a list *
1182 *************************************************/
1183
1184 /* This function is called by the redirect router to scan a string containing a
1185 list of addresses separated by commas (with optional white space) or by
1186 newlines, and to generate a chain of address items from them. In other words,
1187 to unpick data from an alias or .forward file.
1188
1189 The SunOS5 documentation for alias files is not very clear on the syntax; it
1190 does not say that either a comma or a newline can be used for separation.
1191 However, that is the way Smail does it, so we follow suit.
1192
1193 If a # character is encountered in a white space position, then characters from
1194 there to the next newline are skipped.
1195
1196 If an unqualified address begins with '\', just skip that character. This gives
1197 compatibility with Sendmail's use of \ to prevent looping. Exim has its own
1198 loop prevention scheme which handles other cases too - see the code in
1199 route_address().
1200
1201 An "address" can be a specification of a file or a pipe; the latter may often
1202 need to be quoted because it may contain spaces, but we don't want to retain
1203 the quotes. Quotes may appear in normal addresses too, and should be retained.
1204 We can distinguish between these cases, because in addresses, quotes are used
1205 only for parts of the address, not the whole thing. Therefore, we remove quotes
1206 from items when they entirely enclose them, but not otherwise.
1207
1208 An "address" can also be of the form :include:pathname to include a list of
1209 addresses contained in the specified file.
1210
1211 Any unqualified addresses are qualified with and rewritten if necessary, via
1212 the rewrite_address() function.
1213
1214 Arguments:
1215 s the list of addresses (typically a complete
1216 .forward file or a list of entries in an alias file)
1217 options option bits for permitting or denying various special cases;
1218 not all bits are relevant here - some are for filter
1219 files; those we use here are:
1220 RDO_DEFER
1221 RDO_FREEZE
1222 RDO_FAIL
1223 RDO_BLACKHOLE
1224 RDO_REWRITE
1225 RDO_INCLUDE
1226 anchor where to hang the chain of newly-created addresses. This
1227 should be initialized to NULL.
1228 error where to return an error text
1229 incoming domain domain of the incoming address; used to qualify unqualified
1230 local parts preceded by \
1231 directory if NULL, no checks are done on :include: files
1232 otherwise, included file names must start with the given
1233 directory
1234 syntax_errors if not NULL, it carries on after syntax errors in addresses,
1235 building up a list of errors as error blocks chained on
1236 here.
1237
1238 Returns: FF_DELIVERED addresses extracted
1239 FF_NOTDELIVERED no addresses extracted, but no errors
1240 FF_BLACKHOLE :blackhole:
1241 FF_DEFER :defer:
1242 FF_FAIL :fail:
1243 FF_INCLUDEFAIL some problem with :include:; *error set
1244 FF_ERROR other problems; *error is set
1245 */
1246
1247 int
1248 parse_forward_list(uschar *s, int options, address_item **anchor,
1249 uschar **error, const uschar *incoming_domain, uschar *directory,
1250 error_block **syntax_errors)
1251 {
1252 int count = 0;
1253
1254 DEBUG(D_route) debug_printf("parse_forward_list: %s\n", s);
1255
1256 for (;;)
1257 {
1258 int len;
1259 int special = 0;
1260 int specopt = 0;
1261 int specbit = 0;
1262 uschar *ss, *nexts;
1263 address_item *addr;
1264 BOOL inquote = FALSE;
1265
1266 for (;;)
1267 {
1268 while (isspace(*s) || *s == ',') s++;
1269 if (*s == '#') { while (*s != 0 && *s != '\n') s++; } else break;
1270 }
1271
1272 /* When we reach the end of the list, we return FF_DELIVERED if any child
1273 addresses have been generated. If nothing has been generated, there are two
1274 possibilities: either the list is really empty, or there were syntax errors
1275 that are being skipped. (If syntax errors are not being skipped, an FF_ERROR
1276 return is generated on hitting a syntax error and we don't get here.) For a
1277 truly empty list we return FF_NOTDELIVERED so that the router can decline.
1278 However, if the list is empty only because syntax errors were skipped, we
1279 return FF_DELIVERED. */
1280
1281 if (!*s)
1282 {
1283 return (count > 0 || (syntax_errors && *syntax_errors))
1284 ? FF_DELIVERED : FF_NOTDELIVERED;
1285
1286 /* This previous code returns FF_ERROR if nothing is generated but a
1287 syntax error has been skipped. I now think it is the wrong approach, but
1288 have left this here just in case, and for the record. */
1289
1290 #ifdef NEVER
1291 if (count > 0) return FF_DELIVERED; /* Something was generated */
1292
1293 if (syntax_errors == NULL || /* Not skipping syntax errors, or */
1294 *syntax_errors == NULL) /* we didn't actually skip any */
1295 return FF_NOTDELIVERED;
1296
1297 *error = string_sprintf("no addresses generated: syntax error in %s: %s",
1298 (*syntax_errors)->text2, (*syntax_errors)->text1);
1299 return FF_ERROR;
1300 #endif
1301
1302 }
1303
1304 /* Find the end of the next address. Quoted strings in addresses may contain
1305 escaped characters; I haven't found a proper specification of .forward or
1306 alias files that mentions the quoting properties, but it seems right to do
1307 the escaping thing in all cases, so use the function that finds the end of an
1308 address. However, don't let a quoted string extend over the end of a line. */
1309
1310 ss = parse_find_address_end(s, TRUE);
1311
1312 /* Remember where we finished, for starting the next one. */
1313
1314 nexts = ss;
1315
1316 /* Remove any trailing spaces; we know there's at least one non-space. */
1317
1318 while (isspace((ss[-1]))) ss--;
1319
1320 /* We now have s->start and ss->end of the next address. Remove quotes
1321 if they completely enclose, remembering the address started with a quote
1322 for handling pipes and files. Another round of removal of leading and
1323 trailing spaces is then required. */
1324
1325 if (*s == '\"' && ss[-1] == '\"')
1326 {
1327 s++;
1328 ss--;
1329 inquote = TRUE;
1330 while (s < ss && isspace(*s)) s++;
1331 while (ss > s && isspace((ss[-1]))) ss--;
1332 }
1333
1334 /* Set up the length of the address. */
1335
1336 len = ss - s;
1337
1338 DEBUG(D_route)
1339 {
1340 int save = s[len];
1341 s[len] = 0;
1342 debug_printf("extract item: %s\n", s);
1343 s[len] = save;
1344 }
1345
1346 /* Handle special addresses if permitted. If the address is :unknown:
1347 ignore it - this is for backward compatibility with old alias files. You
1348 don't need to use it nowadays - just generate an empty string. For :defer:,
1349 :blackhole:, or :fail: we have to set up the error message and give up right
1350 away. */
1351
1352 if (Ustrncmp(s, ":unknown:", len) == 0)
1353 {
1354 s = nexts;
1355 continue;
1356 }
1357
1358 if (Ustrncmp(s, ":defer:", 7) == 0)
1359 { special = FF_DEFER; specopt = RDO_DEFER; } /* specbit is 0 */
1360 else if (Ustrncmp(s, ":blackhole:", 11) == 0)
1361 { special = FF_BLACKHOLE; specopt = specbit = RDO_BLACKHOLE; }
1362 else if (Ustrncmp(s, ":fail:", 6) == 0)
1363 { special = FF_FAIL; specopt = RDO_FAIL; } /* specbit is 0 */
1364
1365 if (special != 0)
1366 {
1367 uschar *ss = Ustrchr(s+1, ':') + 1;
1368 if ((options & specopt) == specbit)
1369 {
1370 *error = string_sprintf("\"%.*s\" is not permitted", len, s);
1371 return FF_ERROR;
1372 }
1373 while (*ss != 0 && isspace(*ss)) ss++;
1374 while (s[len] != 0 && s[len] != '\n') len++;
1375 s[len] = 0;
1376 *error = string_copy(ss);
1377 return special;
1378 }
1379
1380 /* If the address is of the form :include:pathname, read the file, and call
1381 this function recursively to extract the addresses from it. If directory is
1382 NULL, do no checks. Otherwise, insist that the file name starts with the
1383 given directory and is a regular file. */
1384
1385 if (Ustrncmp(s, ":include:", 9) == 0)
1386 {
1387 uschar *filebuf;
1388 uschar filename[256];
1389 uschar *t = s+9;
1390 int flen = len - 9;
1391 int frc;
1392 struct stat statbuf;
1393 address_item *last;
1394 FILE *f;
1395
1396 while (flen > 0 && isspace(*t)) { t++; flen--; }
1397
1398 if (flen <= 0)
1399 {
1400 *error = US"file name missing after :include:";
1401 return FF_ERROR;
1402 }
1403
1404 if (flen > 255)
1405 {
1406 *error = string_sprintf("included file name \"%s\" is too long", t);
1407 return FF_ERROR;
1408 }
1409
1410 Ustrncpy(filename, t, flen);
1411 filename[flen] = 0;
1412
1413 /* Insist on absolute path */
1414
1415 if (filename[0] != '/')
1416 {
1417 *error = string_sprintf("included file \"%s\" is not an absolute path",
1418 filename);
1419 return FF_ERROR;
1420 }
1421
1422 /* Check if include is permitted */
1423
1424 if (options & RDO_INCLUDE)
1425 {
1426 *error = US"included files not permitted";
1427 return FF_ERROR;
1428 }
1429
1430 if (is_tainted(filename))
1431 {
1432 *error = string_sprintf("Tainted name '%s' for included file not permitted\n",
1433 filename);
1434 return FF_ERROR;
1435 }
1436
1437 /* Check file name if required */
1438
1439 if (directory)
1440 {
1441 int len = Ustrlen(directory);
1442 uschar *p = filename + len;
1443
1444 if (Ustrncmp(filename, directory, len) != 0 || *p != '/')
1445 {
1446 *error = string_sprintf("included file %s is not in directory %s",
1447 filename, directory);
1448 return FF_ERROR;
1449 }
1450
1451 #ifdef EXIM_HAVE_OPENAT
1452 /* It is necessary to check that every component inside the directory
1453 is NOT a symbolic link, in order to keep the file inside the directory.
1454 This is mighty tedious. We open the directory and openat every component,
1455 with a flag that fails symlinks. */
1456
1457 {
1458 int fd = exim_open2(CS directory, O_RDONLY);
1459 if (fd < 0)
1460 {
1461 *error = string_sprintf("failed to open directory %s", directory);
1462 return FF_ERROR;
1463 }
1464 while (*p)
1465 {
1466 uschar temp;
1467 int fd2;
1468 uschar * q = p;
1469
1470 while (*++p && *p != '/') ;
1471 temp = *p;
1472 *p = '\0';
1473
1474 fd2 = exim_openat(fd, CS q, O_RDONLY|O_NOFOLLOW);
1475 close(fd);
1476 *p = temp;
1477 if (fd2 < 0)
1478 {
1479 *error = string_sprintf("failed to open %s (component of included "
1480 "file); could be symbolic link", filename);
1481 return FF_ERROR;
1482 }
1483 fd = fd2;
1484 }
1485 f = fdopen(fd, "rb");
1486 }
1487 #else
1488 /* It is necessary to check that every component inside the directory
1489 is NOT a symbolic link, in order to keep the file inside the directory.
1490 This is mighty tedious. It is also not totally foolproof in that it
1491 leaves the possibility of a race attack, but I don't know how to do
1492 any better. */
1493
1494 while (*p)
1495 {
1496 int temp;
1497 while (*++p && *p != '/');
1498 temp = *p;
1499 *p = 0;
1500 if (Ulstat(filename, &statbuf) != 0)
1501 {
1502 *error = string_sprintf("failed to stat %s (component of included "
1503 "file)", filename);
1504 *p = temp;
1505 return FF_ERROR;
1506 }
1507
1508 *p = temp;
1509
1510 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1511 {
1512 *error = string_sprintf("included file %s in the %s directory "
1513 "involves a symbolic link", filename, directory);
1514 return FF_ERROR;
1515 }
1516 }
1517 #endif
1518 }
1519
1520 #ifdef EXIM_HAVE_OPENAT
1521 else
1522 #endif
1523 /* Open and stat the file */
1524 f = Ufopen(filename, "rb");
1525
1526 if (!f)
1527 {
1528 *error = string_open_failed(errno, "included file %s", filename);
1529 return FF_INCLUDEFAIL;
1530 }
1531
1532 if (fstat(fileno(f), &statbuf) != 0)
1533 {
1534 *error = string_sprintf("failed to stat included file %s: %s",
1535 filename, strerror(errno));
1536 (void)fclose(f);
1537 return FF_INCLUDEFAIL;
1538 }
1539
1540 /* If directory was checked, double check that we opened a regular file */
1541
1542 if (directory && (statbuf.st_mode & S_IFMT) != S_IFREG)
1543 {
1544 *error = string_sprintf("included file %s is not a regular file in "
1545 "the %s directory", filename, directory);
1546 return FF_ERROR;
1547 }
1548
1549 /* Get a buffer and read the contents */
1550
1551 if (statbuf.st_size > MAX_INCLUDE_SIZE)
1552 {
1553 *error = string_sprintf("included file %s is too big (max %d)",
1554 filename, MAX_INCLUDE_SIZE);
1555 return FF_ERROR;
1556 }
1557
1558 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
1559 if (fread(filebuf, 1, statbuf.st_size, f) != statbuf.st_size)
1560 {
1561 *error = string_sprintf("error while reading included file %s: %s",
1562 filename, strerror(errno));
1563 (void)fclose(f);
1564 return FF_ERROR;
1565 }
1566 filebuf[statbuf.st_size] = 0;
1567 (void)fclose(f);
1568
1569 addr = NULL;
1570 frc = parse_forward_list(filebuf, options, &addr,
1571 error, incoming_domain, directory, syntax_errors);
1572 if (frc != FF_DELIVERED && frc != FF_NOTDELIVERED) return frc;
1573
1574 if (addr)
1575 {
1576 for (last = addr; last->next; last = last->next) count++;
1577 last->next = *anchor;
1578 *anchor = addr;
1579 count++;
1580 }
1581 }
1582
1583 /* Else (not :include:) ensure address is syntactically correct and fully
1584 qualified if not a pipe or a file, removing a leading \ if present on an
1585 unqualified address. For pipes and files we must handle quoting. It's
1586 not quite clear exactly what to do for partially quoted things, but the
1587 common case of having the whole thing in quotes is straightforward. If this
1588 was the case, inquote will have been set TRUE above and the quotes removed.
1589
1590 There is a possible ambiguity over addresses whose local parts start with
1591 a vertical bar or a slash, and the latter do in fact occur, thanks to X.400.
1592 Consider a .forward file that contains the line
1593
1594 /X=xxx/Y=xxx/OU=xxx/@some.gate.way
1595
1596 Is this a file or an X.400 address? Does it make any difference if it is in
1597 quotes? On the grounds that file names of this type are rare, Exim treats
1598 something that parses as an RFC 822 address and has a domain as an address
1599 rather than a file or a pipe. This is also how an address such as the above
1600 would be treated if it came in from outside. */
1601
1602 else
1603 {
1604 int start, end, domain;
1605 uschar *recipient = NULL;
1606 int save = s[len];
1607 s[len] = 0;
1608
1609 /* If it starts with \ and the rest of it parses as a valid mail address
1610 without a domain, carry on with that address, but qualify it with the
1611 incoming domain. Otherwise arrange for the address to fall through,
1612 causing an error message on the re-parse. */
1613
1614 if (*s == '\\')
1615 {
1616 recipient =
1617 parse_extract_address(s+1, error, &start, &end, &domain, FALSE);
1618 if (recipient)
1619 recipient = domain != 0 ? NULL :
1620 string_sprintf("%s@%s", recipient, incoming_domain);
1621 }
1622
1623 /* Try parsing the item as an address. */
1624
1625 if (!recipient) recipient =
1626 parse_extract_address(s, error, &start, &end, &domain, FALSE);
1627
1628 /* If item starts with / or | and is not a valid address, or there
1629 is no domain, treat it as a file or pipe. If it was a quoted item,
1630 remove the quoting occurrences of \ within it. */
1631
1632 if ((*s == '|' || *s == '/') && (recipient == NULL || domain == 0))
1633 {
1634 uschar *t = store_get(Ustrlen(s) + 1, is_tainted(s));
1635 uschar *p = t;
1636 uschar *q = s;
1637 while (*q != 0)
1638 {
1639 if (inquote)
1640 {
1641 *p++ = (*q == '\\')? *(++q) : *q;
1642 q++;
1643 }
1644 else *p++ = *q++;
1645 }
1646 *p = 0;
1647 addr = deliver_make_addr(t, TRUE);
1648 setflag(addr, af_pfr); /* indicates pipe/file/reply */
1649 if (*s != '|') setflag(addr, af_file); /* indicates file */
1650 }
1651
1652 /* Item must be an address. Complain if not, else qualify, rewrite and set
1653 up the control block. It appears that people are in the habit of using
1654 empty addresses but with comments as a way of putting comments into
1655 alias and forward files. Therefore, ignore the error "empty address".
1656 Mailing lists might want to tolerate syntax errors; there is therefore
1657 an option to do so. */
1658
1659 else
1660 {
1661 if (recipient == NULL)
1662 {
1663 if (Ustrcmp(*error, "empty address") == 0)
1664 {
1665 *error = NULL;
1666 s[len] = save;
1667 s = nexts;
1668 continue;
1669 }
1670
1671 if (syntax_errors != NULL)
1672 {
1673 error_block *e = store_get(sizeof(error_block), FALSE);
1674 error_block *last = *syntax_errors;
1675 if (last == NULL) *syntax_errors = e; else
1676 {
1677 while (last->next != NULL) last = last->next;
1678 last->next = e;
1679 }
1680 e->next = NULL;
1681 e->text1 = *error;
1682 e->text2 = string_copy(s);
1683 s[len] = save;
1684 s = nexts;
1685 continue;
1686 }
1687 else
1688 {
1689 *error = string_sprintf("%s in \"%s\"", *error, s);
1690 s[len] = save; /* _after_ using it for *error */
1691 return FF_ERROR;
1692 }
1693 }
1694
1695 /* Address was successfully parsed. Rewrite, and then make an address
1696 block. */
1697
1698 recipient = ((options & RDO_REWRITE) != 0)?
1699 rewrite_address(recipient, TRUE, FALSE, global_rewrite_rules,
1700 rewrite_existflags) :
1701 rewrite_address_qualify(recipient, TRUE);
1702 addr = deliver_make_addr(recipient, TRUE); /* TRUE => copy recipient */
1703 }
1704
1705 /* Restore the final character in the original data, and add to the
1706 output chain. */
1707
1708 s[len] = save;
1709 addr->next = *anchor;
1710 *anchor = addr;
1711 count++;
1712 }
1713
1714 /* Advance pointer for the next address */
1715
1716 s = nexts;
1717 }
1718 }
1719
1720
1721 /*************************************************
1722 * Extract a Message-ID *
1723 *************************************************/
1724
1725 /* This function is used to extract message ids from In-Reply-To: and
1726 References: header lines.
1727
1728 Arguments:
1729 str pointer to the start of the message-id
1730 yield put pointer to the message id (in dynamic memory) here
1731 error put error message here on failure
1732
1733 Returns: points after the processed message-id or NULL on error
1734 */
1735
1736 uschar *
1737 parse_message_id(uschar *str, uschar **yield, uschar **error)
1738 {
1739 uschar *domain = NULL;
1740 uschar *id;
1741 rmark reset_point;
1742
1743 str = skip_comment(str);
1744 if (*str != '<')
1745 {
1746 *error = US"Missing '<' before message-id";
1747 return NULL;
1748 }
1749
1750 /* Getting a block the size of the input string will definitely be sufficient
1751 for the answer, but it may also be very long if we are processing a header
1752 line. Therefore, take care to release unwanted store afterwards. */
1753
1754 reset_point = store_mark();
1755 id = *yield = store_get(Ustrlen(str) + 1, is_tainted(str));
1756 *id++ = *str++;
1757
1758 str = read_addr_spec(str, id, '>', error, &domain);
1759
1760 if (!*error)
1761 {
1762 if (*str != '>') *error = US"Missing '>' after message-id";
1763 else if (domain == NULL) *error = US"domain missing in message-id";
1764 }
1765
1766 if (*error)
1767 {
1768 store_reset(reset_point);
1769 return NULL;
1770 }
1771
1772 while (*id) id++;
1773 *id++ = *str++;
1774 *id++ = 0;
1775 store_release_above(id);
1776
1777 str = skip_comment(str);
1778 return str;
1779 }
1780
1781
1782 /*************************************************
1783 * Parse a fixed digit number *
1784 *************************************************/
1785
1786 /* Parse a string containing an ASCII encoded fixed digits number
1787
1788 Arguments:
1789 str pointer to the start of the ASCII encoded number
1790 n pointer to the resulting value
1791 digits number of required digits
1792
1793 Returns: points after the processed date or NULL on error
1794 */
1795
1796 static uschar *
1797 parse_number(uschar *str, int *n, int digits)
1798 {
1799 *n=0;
1800 while (digits--)
1801 {
1802 if (*str<'0' || *str>'9') return NULL;
1803 *n=10*(*n)+(*str++-'0');
1804 }
1805 return str;
1806 }
1807
1808
1809 /*************************************************
1810 * Parse a RFC 2822 day of week *
1811 *************************************************/
1812
1813 /* Parse the day of the week from a RFC 2822 date, but do not
1814 decode it, because it is only for humans.
1815
1816 Arguments:
1817 str pointer to the start of the day of the week
1818
1819 Returns: points after the parsed day or NULL on error
1820 */
1821
1822 static uschar *
1823 parse_day_of_week(uschar *str)
1824 {
1825 /*
1826 day-of-week = ([FWS] day-name) / obs-day-of-week
1827
1828 day-name = "Mon" / "Tue" / "Wed" / "Thu" /
1829 "Fri" / "Sat" / "Sun"
1830
1831 obs-day-of-week = [CFWS] day-name [CFWS]
1832 */
1833
1834 static const uschar *day_name[7]={ US"mon", US"tue", US"wed", US"thu", US"fri", US"sat", US"sun" };
1835 int i;
1836 uschar day[4];
1837
1838 str=skip_comment(str);
1839 for (i=0; i<3; ++i)
1840 {
1841 if ((day[i]=tolower(*str))=='\0') return NULL;
1842 ++str;
1843 }
1844 day[3]='\0';
1845 for (i=0; i<7; ++i) if (Ustrcmp(day,day_name[i])==0) break;
1846 if (i==7) return NULL;
1847 str=skip_comment(str);
1848 return str;
1849 }
1850
1851
1852 /*************************************************
1853 * Parse a RFC 2822 date *
1854 *************************************************/
1855
1856 /* Parse the date part of a RFC 2822 date-time, extracting the
1857 day, month and year.
1858
1859 Arguments:
1860 str pointer to the start of the date
1861 d pointer to the resulting day
1862 m pointer to the resulting month
1863 y pointer to the resulting year
1864
1865 Returns: points after the processed date or NULL on error
1866 */
1867
1868 static uschar *
1869 parse_date(uschar *str, int *d, int *m, int *y)
1870 {
1871 /*
1872 date = day month year
1873
1874 year = 4*DIGIT / obs-year
1875
1876 obs-year = [CFWS] 2*DIGIT [CFWS]
1877
1878 month = (FWS month-name FWS) / obs-month
1879
1880 month-name = "Jan" / "Feb" / "Mar" / "Apr" /
1881 "May" / "Jun" / "Jul" / "Aug" /
1882 "Sep" / "Oct" / "Nov" / "Dec"
1883
1884 obs-month = CFWS month-name CFWS
1885
1886 day = ([FWS] 1*2DIGIT) / obs-day
1887
1888 obs-day = [CFWS] 1*2DIGIT [CFWS]
1889 */
1890
1891 uschar *c,*n;
1892 static const uschar *month_name[]={ US"jan", US"feb", US"mar", US"apr", US"may", US"jun", US"jul", US"aug", US"sep", US"oct", US"nov", US"dec" };
1893 int i;
1894 uschar month[4];
1895
1896 str=skip_comment(str);
1897 if ((str=parse_number(str,d,1))==NULL) return NULL;
1898 if (*str>='0' && *str<='9') *d=10*(*d)+(*str++-'0');
1899 c=skip_comment(str);
1900 if (c==str) return NULL;
1901 else str=c;
1902 for (i=0; i<3; ++i) if ((month[i]=tolower(*(str+i)))=='\0') return NULL;
1903 month[3]='\0';
1904 for (i=0; i<12; ++i) if (Ustrcmp(month,month_name[i])==0) break;
1905 if (i==12) return NULL;
1906 str+=3;
1907 *m=i;
1908 c=skip_comment(str);
1909 if (c==str) return NULL;
1910 else str=c;
1911 if ((n=parse_number(str,y,4)))
1912 {
1913 str=n;
1914 if (*y<1900) return NULL;
1915 *y=*y-1900;
1916 }
1917 else if ((n=parse_number(str,y,2)))
1918 {
1919 str=skip_comment(n);
1920 while (*(str-1)==' ' || *(str-1)=='\t') --str; /* match last FWS later */
1921 if (*y<50) *y+=100;
1922 }
1923 else return NULL;
1924 return str;
1925 }
1926
1927
1928 /*************************************************
1929 * Parse a RFC 2822 Time *
1930 *************************************************/
1931
1932 /* Parse the time part of a RFC 2822 date-time, extracting the
1933 hour, minute, second and timezone.
1934
1935 Arguments:
1936 str pointer to the start of the time
1937 h pointer to the resulting hour
1938 m pointer to the resulting minute
1939 s pointer to the resulting second
1940 z pointer to the resulting timezone (offset in seconds)
1941
1942 Returns: points after the processed time or NULL on error
1943 */
1944
1945 static uschar *
1946 parse_time(uschar *str, int *h, int *m, int *s, int *z)
1947 {
1948 /*
1949 time = time-of-day FWS zone
1950
1951 time-of-day = hour ":" minute [ ":" second ]
1952
1953 hour = 2DIGIT / obs-hour
1954
1955 obs-hour = [CFWS] 2DIGIT [CFWS]
1956
1957 minute = 2DIGIT / obs-minute
1958
1959 obs-minute = [CFWS] 2DIGIT [CFWS]
1960
1961 second = 2DIGIT / obs-second
1962
1963 obs-second = [CFWS] 2DIGIT [CFWS]
1964
1965 zone = (( "+" / "-" ) 4DIGIT) / obs-zone
1966
1967 obs-zone = "UT" / "GMT" / ; Universal Time
1968 ; North American UT
1969 ; offsets
1970 "EST" / "EDT" / ; Eastern: - 5/ - 4
1971 "CST" / "CDT" / ; Central: - 6/ - 5
1972 "MST" / "MDT" / ; Mountain: - 7/ - 6
1973 "PST" / "PDT" / ; Pacific: - 8/ - 7
1974
1975 %d65-73 / ; Military zones - "A"
1976 %d75-90 / ; through "I" and "K"
1977 %d97-105 / ; through "Z", both
1978 %d107-122 ; upper and lower case
1979 */
1980
1981 uschar *c;
1982
1983 str=skip_comment(str);
1984 if ((str=parse_number(str,h,2))==NULL) return NULL;
1985 str=skip_comment(str);
1986 if (*str!=':') return NULL;
1987 ++str;
1988 str=skip_comment(str);
1989 if ((str=parse_number(str,m,2))==NULL) return NULL;
1990 c=skip_comment(str);
1991 if (*str==':')
1992 {
1993 ++str;
1994 str=skip_comment(str);
1995 if ((str=parse_number(str,s,2))==NULL) return NULL;
1996 c=skip_comment(str);
1997 }
1998 if (c==str) return NULL;
1999 else str=c;
2000 if (*str=='+' || *str=='-')
2001 {
2002 int neg;
2003
2004 neg=(*str=='-');
2005 ++str;
2006 if ((str=parse_number(str,z,4))==NULL) return NULL;
2007 *z=(*z/100)*3600+(*z%100)*60;
2008 if (neg) *z=-*z;
2009 }
2010 else
2011 {
2012 char zone[5];
2013 struct { const char *name; int off; } zone_name[10]=
2014 { {"gmt",0}, {"ut",0}, {"est",-5}, {"edt",-4}, {"cst",-6}, {"cdt",-5}, {"mst",-7}, {"mdt",-6}, {"pst",-8}, {"pdt",-7}};
2015 int i,j;
2016
2017 for (i=0; i<4; ++i)
2018 {
2019 zone[i]=tolower(*(str+i));
2020 if (zone[i]<'a' || zone[i]>'z') break;
2021 }
2022 zone[i]='\0';
2023 for (j=0; j<10 && strcmp(zone,zone_name[j].name); ++j);
2024 /* Besides zones named in the grammar, RFC 2822 says other alphabetic */
2025 /* time zones should be treated as unknown offsets. */
2026 if (j<10)
2027 {
2028 *z=zone_name[j].off*3600;
2029 str+=i;
2030 }
2031 else if (zone[0]<'a' || zone[1]>'z') return 0;
2032 else
2033 {
2034 while ((*str>='a' && *str<='z') || (*str>='A' && *str<='Z')) ++str;
2035 *z=0;
2036 }
2037 }
2038 return str;
2039 }
2040
2041
2042 /*************************************************
2043 * Parse a RFC 2822 date-time *
2044 *************************************************/
2045
2046 /* Parse a RFC 2822 date-time and return it in seconds since the epoch.
2047
2048 Arguments:
2049 str pointer to the start of the date-time
2050 t pointer to the parsed time
2051
2052 Returns: points after the processed date-time or NULL on error
2053 */
2054
2055 uschar *
2056 parse_date_time(uschar *str, time_t *t)
2057 {
2058 /*
2059 date-time = [ day-of-week "," ] date FWS time [CFWS]
2060 */
2061
2062 struct tm tm;
2063 int zone;
2064 extern char **environ;
2065 char **old_environ;
2066 static char gmt0[]="TZ=GMT0";
2067 static char *gmt_env[]={ gmt0, (char*)0 };
2068 uschar *try;
2069
2070 if ((try=parse_day_of_week(str)))
2071 {
2072 str=try;
2073 if (*str!=',') return 0;
2074 ++str;
2075 }
2076 if ((str=parse_date(str,&tm.tm_mday,&tm.tm_mon,&tm.tm_year))==NULL) return NULL;
2077 if (*str!=' ' && *str!='\t') return NULL;
2078 while (*str==' ' || *str=='\t') ++str;
2079 if ((str=parse_time(str,&tm.tm_hour,&tm.tm_min,&tm.tm_sec,&zone))==NULL) return NULL;
2080 tm.tm_isdst=0;
2081 old_environ=environ;
2082 environ=gmt_env;
2083 *t=mktime(&tm);
2084 environ=old_environ;
2085 if (*t==-1) return NULL;
2086 *t-=zone;
2087 str=skip_comment(str);
2088 return str;
2089 }
2090
2091
2092
2093
2094 /*************************************************
2095 **************************************************
2096 * Stand-alone test program *
2097 **************************************************
2098 *************************************************/
2099
2100 #if defined STAND_ALONE
2101 int main(void)
2102 {
2103 int start, end, domain;
2104 uschar buffer[1024];
2105 uschar outbuff[1024];
2106
2107 big_buffer = store_malloc(big_buffer_size);
2108
2109 /* strip_trailing_dot = TRUE; */
2110 allow_domain_literals = TRUE;
2111
2112 printf("Testing parse_fix_phrase\n");
2113
2114 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2115 {
2116 buffer[Ustrlen(buffer)-1] = 0;
2117 if (buffer[0] == 0) break;
2118 printf("%s\n", CS parse_fix_phrase(buffer, Ustrlen(buffer), outbuff,
2119 sizeof(outbuff)));
2120 }
2121
2122 printf("Testing parse_extract_address without group syntax and without UTF-8\n");
2123
2124 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2125 {
2126 uschar *out;
2127 uschar *errmess;
2128 buffer[Ustrlen(buffer) - 1] = 0;
2129 if (buffer[0] == 0) break;
2130 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2131 if (!out)
2132 printf("*** bad address: %s\n", errmess);
2133 else
2134 {
2135 uschar extract[1024];
2136 Ustrncpy(extract, buffer+start, end-start);
2137 extract[end-start] = 0;
2138 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2139 }
2140 }
2141
2142 printf("Testing parse_extract_address without group syntax but with UTF-8\n");
2143
2144 allow_utf8_domains = TRUE;
2145 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2146 {
2147 uschar *out;
2148 uschar *errmess;
2149 buffer[Ustrlen(buffer) - 1] = 0;
2150 if (buffer[0] == 0) break;
2151 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2152 if (!out)
2153 printf("*** bad address: %s\n", errmess);
2154 else
2155 {
2156 uschar extract[1024];
2157 Ustrncpy(extract, buffer+start, end-start);
2158 extract[end-start] = 0;
2159 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2160 }
2161 }
2162 allow_utf8_domains = FALSE;
2163
2164 printf("Testing parse_extract_address with group syntax\n");
2165
2166 f.parse_allow_group = TRUE;
2167 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2168 {
2169 uschar *out;
2170 uschar *errmess;
2171 uschar *s;
2172 buffer[Ustrlen(buffer) - 1] = 0;
2173 if (buffer[0] == 0) break;
2174 s = buffer;
2175 while (*s)
2176 {
2177 uschar *ss = parse_find_address_end(s, FALSE);
2178 int terminator = *ss;
2179 *ss = 0;
2180 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2181 *ss = terminator;
2182
2183 if (!out)
2184 printf("*** bad address: %s\n", errmess);
2185 else
2186 {
2187 uschar extract[1024];
2188 Ustrncpy(extract, buffer+start, end-start);
2189 extract[end-start] = 0;
2190 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2191 }
2192
2193 s = ss + (terminator? 1:0);
2194 Uskip_whitespace(&s);
2195 }
2196 }
2197
2198 printf("Testing parse_find_at\n");
2199
2200 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2201 {
2202 uschar *s;
2203 buffer[Ustrlen(buffer)-1] = 0;
2204 if (buffer[0] == 0) break;
2205 s = parse_find_at(buffer);
2206 if (s == NULL) printf("no @ found\n");
2207 else printf("offset = %d\n", s - buffer);
2208 }
2209
2210 printf("Testing parse_extract_addresses\n");
2211
2212 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2213 {
2214 uschar *errmess;
2215 int extracted;
2216 address_item *anchor = NULL;
2217 buffer[Ustrlen(buffer) - 1] = 0;
2218 if (buffer[0] == 0) break;
2219 if ((extracted = parse_forward_list(buffer, -1, &anchor,
2220 &errmess, US"incoming.domain", NULL, NULL)) == FF_DELIVERED)
2221 {
2222 while (anchor != NULL)
2223 {
2224 address_item *addr = anchor;
2225 anchor = anchor->next;
2226 printf("%d %s\n", testflag(addr, af_pfr), addr->address);
2227 }
2228 }
2229 else printf("Failed: %d %s\n", extracted, errmess);
2230 }
2231
2232 printf("Testing parse_message_id\n");
2233
2234 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2235 {
2236 uschar *s, *t, *errmess;
2237 buffer[Ustrlen(buffer) - 1] = 0;
2238 if (buffer[0] == 0) break;
2239 s = buffer;
2240 while (*s != 0)
2241 {
2242 s = parse_message_id(s, &t, &errmess);
2243 if (errmess != NULL)
2244 {
2245 printf("Failed: %s\n", errmess);
2246 break;
2247 }
2248 printf("%s\n", t);
2249 }
2250 }
2251
2252 return 0;
2253 }
2254
2255 #endif
2256
2257 /* End of parse.c */
Unnamed repository; edit this file 'description' to name the repository.