ff814e738b6217b3f6207350c6c7fecead9a64ae
[exim.git] / src / src / parse.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for parsing addresses */
9
10
11 #include "exim.h"
12
13
14 static uschar *last_comment_position;
15
16
17
18 /* In stand-alone mode, provide a replacement for deliver_make_addr()
19 and rewrite_address[_qualify]() so as to avoid having to drag in too much
20 redundant apparatus. */
21
22 #ifdef STAND_ALONE
23
24 address_item *deliver_make_addr(uschar *address, BOOL copy)
25 {
26 address_item *addr = store_get(sizeof(address_item));
27 addr->next = NULL;
28 addr->parent = NULL;
29 addr->address = address;
30 return addr;
31 }
32
33 uschar *rewrite_address(uschar *recipient, BOOL dummy1, BOOL dummy2, rewrite_rule
34 *dummy3, int dummy4)
35 {
36 return recipient;
37 }
38
39 uschar *rewrite_address_qualify(uschar *recipient, BOOL dummy1)
40 {
41 return recipient;
42 }
43
44 #endif
45
46
47
48
49 /*************************************************
50 * Find the end of an address *
51 *************************************************/
52
53 /* Scan over a string looking for the termination of an address at a comma,
54 or end of the string. It's the source-routed addresses which cause much pain
55 here. Although Exim ignores source routes, it must recognize such addresses, so
56 we cannot get rid of this logic.
57
58 Argument:
59 s pointer to the start of an address
60 nl_ends if TRUE, '\n' terminates an address
61
62 Returns: pointer past the end of the address
63 (i.e. points to null or comma)
64 */
65
66 uschar *
67 parse_find_address_end(uschar *s, BOOL nl_ends)
68 {
69 BOOL source_routing = *s == '@';
70 int no_term = source_routing? 1 : 0;
71
72 while (*s != 0 && (*s != ',' || no_term > 0) && (*s != '\n' || !nl_ends))
73 {
74 /* Skip single quoted characters. Strictly these should not occur outside
75 quoted strings in RFC 822 addresses, but they can in RFC 821 addresses. Pity
76 about the lack of consistency, isn't it? */
77
78 if (*s == '\\' && s[1] != 0) s += 2;
79
80 /* Skip quoted items that are not inside brackets. Note that
81 quoted pairs are allowed inside quoted strings. */
82
83 else if (*s == '\"')
84 {
85 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
86 {
87 if (*s == '\\' && s[1] != 0) s++;
88 else if (*s == '\"') { s++; break; }
89 }
90 }
91
92 /* Skip comments, which may include nested brackets, but quotes
93 are not recognized inside comments, though quoted pairs are. */
94
95 else if (*s == '(')
96 {
97 int level = 1;
98 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
99 {
100 if (*s == '\\' && s[1] != 0) s++;
101 else if (*s == '(') level++;
102 else if (*s == ')' && --level <= 0) { s++; break; }
103 }
104 }
105
106 /* Non-special character; just advance. Passing the colon in a source
107 routed address means that any subsequent comma or colon may terminate unless
108 inside angle brackets. */
109
110 else
111 {
112 if (*s == '<')
113 {
114 source_routing = s[1] == '@';
115 no_term = source_routing? 2 : 1;
116 }
117 else if (*s == '>') no_term--;
118 else if (source_routing && *s == ':') no_term--;
119 s++;
120 }
121 }
122
123 return s;
124 }
125
126
127
128 /*************************************************
129 * Find last @ in an address *
130 *************************************************/
131
132 /* This function is used when we have something that may not qualified. If we
133 know it's qualified, searching for the rightmost '@' is sufficient. Here we
134 have to be a bit more clever than just a plain search, in order to handle
135 unqualified local parts like "thing@thong" correctly. Since quotes may not
136 legally be part of a domain name, we can give up on hitting the first quote
137 when searching from the right. Now that the parsing also permits the RFC 821
138 form of address, where quoted-pairs are allowed in unquoted local parts, we
139 must take care to handle that too.
140
141 Argument: pointer to an address, possibly unqualified
142 Returns: pointer to the last @ in an address, or NULL if none
143 */
144
145 uschar *
146 parse_find_at(uschar *s)
147 {
148 uschar *t = s + Ustrlen(s);
149 while (--t >= s)
150 {
151 if (*t == '@')
152 {
153 int backslash_count = 0;
154 uschar *tt = t - 1;
155 while (tt > s && *tt-- == '\\') backslash_count++;
156 if ((backslash_count & 1) == 0) return t;
157 }
158 else if (*t == '\"') return NULL;
159 }
160 return NULL;
161 }
162
163
164
165
166 /***************************************************************************
167 * In all the functions below that read a particular object type from *
168 * the input, return the new value of the pointer s (the first argument), *
169 * and put the object into the store pointed to by t (the second argument), *
170 * adding a terminating zero. If no object is found, t will point to zero *
171 * on return. *
172 ***************************************************************************/
173
174
175 /*************************************************
176 * Skip white space and comment *
177 *************************************************/
178
179 /* Algorithm:
180 (1) Skip spaces.
181 (2) If uschar not '(', return.
182 (3) Skip till matching ')', not counting any characters
183 escaped with '\'.
184 (4) Move past ')' and goto (1).
185
186 The start of the last potential comment position is remembered to
187 make it possible to ignore comments at the end of compound items.
188
189 Argument: current character pointer
190 Regurns: new character pointer
191 */
192
193 static uschar *
194 skip_comment(uschar *s)
195 {
196 last_comment_position = s;
197 while (*s)
198 {
199 int c, level;
200 while (isspace(*s)) s++;
201 if (*s != '(') break;
202 level = 1;
203 while((c = *(++s)) != 0)
204 {
205 if (c == '(') level++;
206 else if (c == ')') { if (--level <= 0) { s++; break; } }
207 else if (c == '\\' && s[1] != 0) s++;
208 }
209 }
210 return s;
211 }
212
213
214
215 /*************************************************
216 * Read a domain *
217 *************************************************/
218
219 /* A domain is a sequence of subdomains, separated by dots. See comments below
220 for detailed syntax of the subdomains.
221
222 If allow_domain_literals is TRUE, a "domain" may also be an IP address enclosed
223 in []. Make sure the output is set to the null string if there is a syntax
224 error as well as if there is no domain at all.
225
226 Arguments:
227 s current character pointer
228 t where to put the domain
229 errorptr put error message here on failure (*t will be 0 on exit)
230
231 Returns: new character pointer
232 */
233
234 static uschar *
235 read_domain(uschar *s, uschar *t, uschar **errorptr)
236 {
237 uschar *tt = t;
238 s = skip_comment(s);
239
240 /* Handle domain literals if permitted. An RFC 822 domain literal may contain
241 any character except [ ] \, including linear white space, and may contain
242 quoted characters. However, RFC 821 restricts literals to being dot-separated
243 3-digit numbers, and we make the obvious extension for IPv6. Go for a sequence
244 of digits, dots, hex digits, and colons here; later this will be checked for
245 being a syntactically valid IP address if it ever gets to a router.
246
247 Allow both the formal IPv6 form, with IPV6: at the start, and the informal form
248 without it, and accept IPV4: as well, 'cause someone will use it sooner or
249 later. */
250
251 if (*s == '[')
252 {
253 *t++ = *s++;
254
255 if (strncmpic(s, US"IPv6:", 5) == 0 || strncmpic(s, US"IPv4:", 5) == 0)
256 {
257 memcpy(t, s, 5);
258 t += 5;
259 s += 5;
260 }
261 while (*s == '.' || *s == ':' || isxdigit(*s)) *t++ = *s++;
262
263 if (*s == ']') *t++ = *s++; else
264 {
265 *errorptr = US"malformed domain literal";
266 *tt = 0;
267 }
268
269 if (!allow_domain_literals)
270 {
271 *errorptr = US"domain literals not allowed";
272 *tt = 0;
273 }
274 *t = 0;
275 return skip_comment(s);
276 }
277
278 /* Handle a proper domain, which is a sequence of dot-separated atoms. Remove
279 trailing dots if strip_trailing_dot is set. A subdomain is an atom.
280
281 An atom is a sequence of any characters except specials, space, and controls.
282 The specials are ( ) < > @ , ; : \ " . [ and ]. This is the rule for RFC 822
283 and its successor (RFC 2822). However, RFC 821 and its successor (RFC 2821) is
284 tighter, allowing only letters, digits, and hyphens, not starting with a
285 hyphen.
286
287 There used to be a global flag that got set when checking addresses that came
288 in over SMTP and which should therefore should be checked according to the
289 stricter rule. However, it seems silly to make the distinction, because I don't
290 suppose anybody ever uses local domains that are 822-compliant and not
291 821-compliant. Furthermore, Exim now has additional data on the spool file line
292 after an address (after "one_time" processing), and it makes use of a #
293 character to delimit it. When I wrote that code, I forgot about this 822-domain
294 stuff, and assumed # could never appear in a domain.
295
296 So the old code is now cut out for Release 4.11 onwards, on 09-Aug-02. In a few
297 years, when we are sure this isn't actually causing trouble, throw it away.
298
299 March 2003: the story continues: There is a camp that is arguing for the use of
300 UTF-8 in domain names as the way to internationalization, and other MTAs
301 support this. Therefore, we now have a flag that permits the use of characters
302 with values greater than 127, encoded in UTF-8, in subdomains, so that Exim can
303 be used experimentally in this way. */
304
305 for (;;)
306 {
307 uschar *tsave = t;
308
309 /*********************
310 if (rfc821_domains)
311 {
312 if (*s != '-') while (isalnum(*s) || *s == '-') *t++ = *s++;
313 }
314 else
315 while (!mac_iscntrl_or_special(*s)) *t++ = *s++;
316 *********************/
317
318 if (*s != '-')
319 {
320 /* Only letters, digits, and hyphens */
321
322 if (!allow_utf8_domains)
323 {
324 while (isalnum(*s) || *s == '-') *t++ = *s++;
325 }
326
327 /* Permit legal UTF-8 characters to be included */
328
329 else for(;;)
330 {
331 int i, d;
332 if (isalnum(*s) || *s == '-') /* legal ascii characters */
333 {
334 *t++ = *s++;
335 continue;
336 }
337 if ((*s & 0xc0) != 0xc0) break; /* not start of UTF-8 character */
338 d = *s << 2;
339 for (i = 1; i < 6; i++) /* i is the number of additional bytes */
340 {
341 if ((d & 0x80) == 0) break;
342 d <<= 1;
343 }
344 if (i == 6) goto BAD_UTF8; /* invalid UTF-8 */
345 *t++ = *s++; /* leading UTF-8 byte */
346 while (i-- > 0) /* copy and check remainder */
347 {
348 if ((*s & 0xc0) != 0x80)
349 {
350 BAD_UTF8:
351 *errorptr = US"invalid UTF-8 byte sequence";
352 *tt = 0;
353 return s;
354 }
355 *t++ = *s++;
356 }
357 } /* End of loop for UTF-8 character */
358 } /* End of subdomain */
359
360 s = skip_comment(s);
361 *t = 0;
362
363 if (t == tsave) /* empty component */
364 {
365 if (strip_trailing_dot && t > tt && *s != '.') t[-1] = 0; else
366 {
367 *errorptr = US"domain missing or malformed";
368 *tt = 0;
369 }
370 return s;
371 }
372
373 if (*s != '.') break;
374 *t++ = *s++;
375 s = skip_comment(s);
376 }
377
378 return s;
379 }
380
381
382
383 /*************************************************
384 * Read a local-part *
385 *************************************************/
386
387 /* A local-part is a sequence of words, separated by periods. A null word
388 between dots is not strictly allowed but apparently many mailers permit it,
389 so, sigh, better be compatible. Even accept a trailing dot...
390
391 A <word> is either a quoted string, or an <atom>, which is a sequence
392 of any characters except specials, space, and controls. The specials are
393 ( ) < > @ , ; : \ " . [ and ]. In RFC 822, a single quoted character, (a
394 quoted-pair) is not allowed in a word. However, in RFC 821, it is permitted in
395 the local part of an address. Rather than have separate parsing functions for
396 the different cases, take the liberal attitude always. At least one MUA is
397 happy to recognize this case; I don't know how many other programs do.
398
399 Arguments:
400 s current character pointer
401 t where to put the local part
402 error where to point error text
403 allow_null TRUE if an empty local part is not an error
404
405 Returns: new character pointer
406 */
407
408 static uschar *
409 read_local_part(uschar *s, uschar *t, uschar **error, BOOL allow_null)
410 {
411 uschar *tt = t;
412 *error = NULL;
413 for (;;)
414 {
415 int c;
416 uschar *tsave = t;
417 s = skip_comment(s);
418
419 /* Handle a quoted string */
420
421 if (*s == '\"')
422 {
423 *t++ = '\"';
424 while ((c = *(++s)) != 0 && c != '\"')
425 {
426 *t++ = c;
427 if (c == '\\' && s[1] != 0) *t++ = *(++s);
428 }
429 if (c == '\"')
430 {
431 s++;
432 *t++ = '\"';
433 }
434 else
435 {
436 *error = US"unmatched doublequote in local part";
437 return s;
438 }
439 }
440
441 /* Handle an atom, but allow quoted pairs within it. */
442
443 else while (!mac_iscntrl_or_special(*s) || *s == '\\')
444 {
445 c = *t++ = *s++;
446 if (c == '\\' && *s != 0) *t++ = *s++;
447 }
448
449 /* Terminate the word and skip subsequent comment */
450
451 *t = 0;
452 s = skip_comment(s);
453
454 /* If we have read a null component at this point, give an error unless it is
455 terminated by a dot - an extension to RFC 822 - or if it is the first
456 component of the local part and an empty local part is permitted, in which
457 case just return normally. */
458
459 if (t == tsave && *s != '.')
460 {
461 if (t == tt && !allow_null)
462 *error = US"missing or malformed local part";
463 return s;
464 }
465
466 /* Anything other than a dot terminates the local part. Treat multiple dots
467 as a single dot, as this seems to be a common extension. */
468
469 if (*s != '.') break;
470 do { *t++ = *s++; } while (*s == '.');
471 }
472
473 return s;
474 }
475
476
477 /*************************************************
478 * Read route part of route-addr *
479 *************************************************/
480
481 /* The pointer is at the initial "@" on entry. Return it following the
482 terminating colon. Exim no longer supports the use of source routes, but it is
483 required to accept the syntax.
484
485 Arguments:
486 s current character pointer
487 t where to put the route
488 errorptr where to put an error message
489
490 Returns: new character pointer
491 */
492
493 static uschar *
494 read_route(uschar *s, uschar *t, uschar **errorptr)
495 {
496 BOOL commas = FALSE;
497 *errorptr = NULL;
498
499 while (*s == '@')
500 {
501 *t++ = '@';
502 s = read_domain(s+1, t, errorptr);
503 if (*t == 0) return s;
504 t += Ustrlen((const uschar *)t);
505 if (*s != ',') break;
506 *t++ = *s++;
507 commas = TRUE;
508 s = skip_comment(s);
509 }
510
511 if (*s == ':') *t++ = *s++;
512
513 /* If there is no colon, and there were no commas, the most likely error
514 is in fact a missing local part in the address rather than a missing colon
515 after the route. */
516
517 else *errorptr = commas?
518 US"colon expected after route list" :
519 US"no local part";
520
521 /* Terminate the route and return */
522
523 *t = 0;
524 return skip_comment(s);
525 }
526
527
528
529 /*************************************************
530 * Read addr-spec *
531 *************************************************/
532
533 /* Addr-spec is local-part@domain. We make the domain optional -
534 the expected terminator for the whole thing is passed to check this.
535 This function is called only when we know we have a route-addr.
536
537 Arguments:
538 s current character pointer
539 t where to put the addr-spec
540 term expected terminator (0 or >)
541 errorptr where to put an error message
542 domainptr set to point to the start of the domain
543
544 Returns: new character pointer
545 */
546
547 static uschar *
548 read_addr_spec(uschar *s, uschar *t, int term, uschar **errorptr,
549 uschar **domainptr)
550 {
551 s = read_local_part(s, t, errorptr, FALSE);
552 if (*errorptr == NULL)
553 {
554 if (*s != term)
555 {
556 if (*s != '@')
557 *errorptr = string_sprintf("\"@\" or \".\" expected after \"%s\"", t);
558 else
559 {
560 t += Ustrlen((const uschar *)t);
561 *t++ = *s++;
562 *domainptr = t;
563 s = read_domain(s, t, errorptr);
564 }
565 }
566 }
567 return s;
568 }
569
570
571
572 /*************************************************
573 * Extract operative address *
574 *************************************************/
575
576 /* This function extracts an operative address from a full RFC822 mailbox and
577 returns it in a piece of dynamic store. We take the easy way and get a piece
578 of store the same size as the input, and then copy into it whatever is
579 necessary. If we cannot find a valid address (syntax error), return NULL, and
580 point the error pointer to the reason. The arguments "start" and "end" are used
581 to return the offsets of the first and one past the last characters in the
582 original mailbox of the address that has been extracted, to aid in re-writing.
583 The argument "domain" is set to point to the first character after "@" in the
584 final part of the returned address, or zero if there is no @.
585
586 Exim no longer supports the use of source routed addresses (those of the form
587 @domain,...:route_addr). It recognizes the syntax, but collapses such addresses
588 down to their final components. Formerly, collapse_source_routes had to be set
589 to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
590 of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
591 a lot of code elsewhere in Exim much simpler.
592
593 There are some special fudges here for handling RFC 822 group address notation
594 which may appear in certain headers. If the flag parse_allow_group is set
595 TRUE and parse_found_group is FALSE when this function is called, an address
596 which is the start of a group (i.e. preceded by a phrase and a colon) is
597 recognized; the phrase is ignored and the flag parse_found_group is set. If
598 this flag is TRUE at the end of an address, and if an extraneous semicolon is
599 found, it is ignored and the flag is cleared.
600
601 This logic is used only when scanning through addresses in headers, either to
602 fulfil the -t option, or for rewriting, or for checking header syntax. Because
603 the group "state" has to be remembered between multiple calls of this function,
604 the variables parse_{allow,found}_group are global. It is important to ensure
605 that they are reset to FALSE at the end of scanning a header's list of
606 addresses.
607
608 Arguments:
609 mailbox points to the RFC822 mailbox
610 errorptr where to point an error message
611 start set to start offset in mailbox
612 end set to end offset in mailbox
613 domain set to domain offset in result, or 0 if no domain present
614 allow_null allow <> if TRUE
615
616 Returns: points to the extracted address, or NULL on error
617 */
618
619 #define FAILED(s) { *errorptr = s; goto PARSE_FAILED; }
620
621 uschar *
622 parse_extract_address(uschar *mailbox, uschar **errorptr, int *start, int *end,
623 int *domain, BOOL allow_null)
624 {
625 uschar *yield = store_get(Ustrlen(mailbox) + 1);
626 uschar *startptr, *endptr;
627 uschar *s = (uschar *)mailbox;
628 uschar *t = (uschar *)yield;
629
630 *domain = 0;
631
632 /* At the start of the string we expect either an addr-spec or a phrase
633 preceding a <route-addr>. If groups are allowed, we might also find a phrase
634 preceding a colon and an address. If we find an initial word followed by
635 a dot, strict interpretation of the RFC would cause it to be taken
636 as the start of an addr-spec. However, many mailers break the rules
637 and use addresses of the form "a.n.other <ano@somewhere>" and so we
638 allow this case. */
639
640 RESTART: /* Come back here after passing a group name */
641
642 s = skip_comment(s);
643 startptr = s; /* In case addr-spec */
644 s = read_local_part(s, t, errorptr, TRUE); /* Dot separated words */
645 if (*errorptr != NULL) goto PARSE_FAILED;
646
647 /* If the terminator is neither < nor @ then the format of the address
648 must either be a bare local-part (we are now at the end), or a phrase
649 followed by a route-addr (more words must follow). */
650
651 if (*s != '@' && *s != '<')
652 {
653 if (*s == 0 || *s == ';')
654 {
655 if (*t == 0) FAILED(US"empty address");
656 endptr = last_comment_position;
657 goto PARSE_SUCCEEDED; /* Bare local part */
658 }
659
660 /* Expect phrase route-addr, or phrase : if groups permitted, but allow
661 dots in the phrase; complete the loop only when '<' or ':' is encountered -
662 end of string will produce a null local_part and therefore fail. We don't
663 need to keep updating t, as the phrase isn't to be kept. */
664
665 while (*s != '<' && (!parse_allow_group || *s != ':'))
666 {
667 s = read_local_part(s, t, errorptr, FALSE);
668 if (*errorptr != NULL)
669 {
670 *errorptr = string_sprintf("%s (expected word or \"<\")", *errorptr);
671 goto PARSE_FAILED;
672 }
673 }
674
675 if (*s == ':')
676 {
677 parse_found_group = TRUE;
678 parse_allow_group = FALSE;
679 s++;
680 goto RESTART;
681 }
682
683 /* Assert *s == '<' */
684 }
685
686 /* At this point the next character is either '@' or '<'. If it is '@', only a
687 single local-part has previously been read. An angle bracket signifies the
688 start of an <addr-spec>. Throw away anything we have saved so far before
689 processing it. Note that this is "if" rather than "else if" because it's also
690 used after reading a preceding phrase.
691
692 There are a lot of broken sendmails out there that put additional pairs of <>
693 round <route-addr>s. If strip_excess_angle_brackets is set, allow any number of
694 them, as long as they match. */
695
696 if (*s == '<')
697 {
698 uschar *domainptr = yield;
699 BOOL source_routed = FALSE;
700 int bracket_count = 1;
701
702 s++;
703 if (strip_excess_angle_brackets)
704 while (*s == '<') { bracket_count++; s++; }
705
706 t = yield;
707 startptr = s;
708 s = skip_comment(s);
709
710 /* Read an optional series of routes, each of which is a domain. They
711 are separated by commas and terminated by a colon. However, we totally ignore
712 such routes (RFC 1123 says we MAY, and the revision of RFC 821 says we
713 SHOULD). */
714
715 if (*s == '@')
716 {
717 s = read_route(s, t, errorptr);
718 if (*errorptr != NULL) goto PARSE_FAILED;
719 *t = 0; /* Ensure route is ignored - probably overkill */
720 source_routed = TRUE;
721 }
722
723 /* Now an addr-spec, terminated by '>'. If there is no preceding route,
724 we must allow an empty addr-spec if allow_null is TRUE, to permit the
725 address "<>" in some circumstances. A source-routed address MUST have
726 a domain in the final part. */
727
728 if (allow_null && !source_routed && *s == '>')
729 {
730 *t = 0;
731 *errorptr = NULL;
732 }
733 else
734 {
735 s = read_addr_spec(s, t, '>', errorptr, &domainptr);
736 if (*errorptr != NULL) goto PARSE_FAILED;
737 *domain = domainptr - yield;
738 if (source_routed && *domain == 0)
739 FAILED(US"domain missing in source-routed address");
740 }
741
742 endptr = s;
743 if (*errorptr != NULL) goto PARSE_FAILED;
744 while (bracket_count-- > 0) if (*s++ != '>')
745 {
746 *errorptr = (s[-1] == 0)? US"'>' missing at end of address" :
747 string_sprintf("malformed address: %.32s may not follow %.*s",
748 s-1, s - (uschar *)mailbox - 1, mailbox);
749 goto PARSE_FAILED;
750 }
751
752 s = skip_comment(s);
753 }
754
755 /* Hitting '@' after the first local-part means we have definitely got an
756 addr-spec, on a strict reading of the RFC, and the rest of the string
757 should be the domain. However, for flexibility we allow for a route-address
758 not enclosed in <> as well, which is indicated by an empty first local
759 part preceding '@'. The source routing is, however, ignored. */
760
761 else if (*t == 0)
762 {
763 uschar *domainptr = yield;
764 s = read_route(s, t, errorptr);
765 if (*errorptr != NULL) goto PARSE_FAILED;
766 *t = 0; /* Ensure route is ignored - probably overkill */
767 s = read_addr_spec(s, t, 0, errorptr, &domainptr);
768 if (*errorptr != NULL) goto PARSE_FAILED;
769 *domain = domainptr - yield;
770 endptr = last_comment_position;
771 if (*domain == 0) FAILED(US"domain missing in source-routed address");
772 }
773
774 /* This is the strict case of local-part@domain. */
775
776 else
777 {
778 t += Ustrlen((const uschar *)t);
779 *t++ = *s++;
780 *domain = t - yield;
781 s = read_domain(s, t, errorptr);
782 if (*t == 0) goto PARSE_FAILED;
783 endptr = last_comment_position;
784 }
785
786 /* Use goto to get here from the bare local part case. Arrive by falling
787 through for other cases. Endptr may have been moved over whitespace, so
788 move it back past white space if necessary. */
789
790 PARSE_SUCCEEDED:
791 if (*s != 0)
792 {
793 if (parse_found_group && *s == ';')
794 {
795 parse_found_group = FALSE;
796 parse_allow_group = TRUE;
797 }
798 else
799 {
800 *errorptr = string_sprintf("malformed address: %.32s may not follow %.*s",
801 s, s - (uschar *)mailbox, mailbox);
802 goto PARSE_FAILED;
803 }
804 }
805 *start = startptr - (uschar *)mailbox; /* Return offsets */
806 while (isspace(endptr[-1])) endptr--;
807 *end = endptr - (uschar *)mailbox;
808
809 /* Although this code has no limitation on the length of address extracted,
810 other parts of Exim may have limits, and in any case, RFC 2821 limits local
811 parts to 64 and domains to 255, so we do a check here, giving an error if the
812 address is ridiculously long. */
813
814 if (*end - *start > ADDRESS_MAXLENGTH)
815 {
816 *errorptr = string_sprintf("address is ridiculously long: %.64s...", yield);
817 return NULL;
818 }
819
820 return (uschar *)yield;
821
822 /* Use goto (via the macro FAILED) to get to here from a variety of places.
823 We might have an empty address in a group - the caller can choose to ignore
824 this. We must, however, keep the flags correct. */
825
826 PARSE_FAILED:
827 if (parse_found_group && *s == ';')
828 {
829 parse_found_group = FALSE;
830 parse_allow_group = TRUE;
831 }
832 return NULL;
833 }
834
835 #undef FAILED
836
837
838
839 /*************************************************
840 * Quote according to RFC 2047 *
841 *************************************************/
842
843 /* This function is used for quoting text in headers according to RFC 2047.
844 If the only characters that strictly need quoting are spaces, we return the
845 original string, unmodified. If a quoted string is too long for the buffer, it
846 is truncated. (This shouldn't happen: this is normally handling short strings.)
847
848 Hmmph. As always, things get perverted for other uses. This function was
849 originally for the "phrase" part of addresses. Now it is being used for much
850 longer texts in ACLs and via the ${rfc2047: expansion item. This means we have
851 to check for overlong "encoded-word"s and split them. November 2004.
852
853 Arguments:
854 string the string to quote - already checked to contain non-printing
855 chars
856 len the length of the string
857 charset the name of the character set; NULL => iso-8859-1
858 buffer the buffer to put the answer in
859 buffer_size the size of the buffer
860 fold if TRUE, a newline is inserted before the separating space when
861 more than one encoded-word is generated
862
863 Returns: pointer to the original string, if no quoting needed, or
864 pointer to buffer containing the quoted string, or
865 a pointer to "String too long" if the buffer can't even hold
866 the introduction
867 */
868
869 const uschar *
870 parse_quote_2047(const uschar *string, int len, uschar *charset, uschar *buffer,
871 int buffer_size, BOOL fold)
872 {
873 const uschar *s = string;
874 uschar *p, *t;
875 int hlen;
876 BOOL coded = FALSE;
877 BOOL first_byte = FALSE;
878
879 if (charset == NULL) charset = US"iso-8859-1";
880
881 /* We don't expect this to fail! */
882
883 if (!string_format(buffer, buffer_size, "=?%s?Q?", charset))
884 return US"String too long";
885
886 hlen = Ustrlen(buffer);
887 t = buffer + hlen;
888 p = buffer;
889
890 for (; len > 0; len--)
891 {
892 int ch = *s++;
893 if (t > buffer + buffer_size - hlen - 8) break;
894
895 if ((t - p > 67) && !first_byte)
896 {
897 *t++ = '?';
898 *t++ = '=';
899 if (fold) *t++ = '\n';
900 *t++ = ' ';
901 p = t;
902 Ustrncpy(p, buffer, hlen);
903 t += hlen;
904 }
905
906 if (ch < 33 || ch > 126 ||
907 Ustrchr("?=()<>@,;:\\\".[]_", ch) != NULL)
908 {
909 if (ch == ' ')
910 {
911 *t++ = '_';
912 first_byte = FALSE;
913 }
914 else
915 {
916 sprintf(CS t, "=%02X", ch);
917 while (*t != 0) t++;
918 coded = TRUE;
919 first_byte = !first_byte;
920 }
921 }
922 else { *t++ = ch; first_byte = FALSE; }
923 }
924
925 *t++ = '?';
926 *t++ = '=';
927 *t = 0;
928
929 return coded? buffer : string;
930 }
931
932
933
934
935 /*************************************************
936 * Fix up an RFC 822 "phrase" *
937 *************************************************/
938
939 /* This function is called to repair any syntactic defects in the "phrase" part
940 of an RFC822 address. In particular, it is applied to the user's name as read
941 from the passwd file when accepting a local message, and to the data from the
942 -F option.
943
944 If the string contains existing quoted strings or comments containing
945 freestanding quotes, then we just quote those bits that need quoting -
946 otherwise it would get awfully messy and probably not look good. If not, we
947 quote the whole thing if necessary. Thus
948
949 John Q. Smith => "John Q. Smith"
950 John "Jack" Smith => John "Jack" Smith
951 John "Jack" Q. Smith => John "Jack" "Q." Smith
952 John (Jack) Q. Smith => "John (Jack) Q. Smith"
953 John ("Jack") Q. Smith => John ("Jack") "Q." Smith
954 but
955 John (\"Jack\") Q. Smith => "John (\"Jack\") Q. Smith"
956
957 Sheesh! This is tedious code. It is a great pity that the syntax of RFC822 is
958 the way it is...
959
960 August 2000: Additional code added:
961
962 Previously, non-printing characters were turned into question marks, which do
963 not need to be quoted.
964
965 Now, a different tactic is used if there are any non-printing ASCII
966 characters. The encoding method from RFC 2047 is used, assuming iso-8859-1 as
967 the character set.
968
969 We *could* use this for all cases, getting rid of the messy original code,
970 but leave it for now. It would complicate simple cases like "John Q. Smith".
971
972 The result is passed back in the buffer; it is usually going to be added to
973 some other string. In order to be sure there is going to be no overflow,
974 restrict the length of the input to 1/4 of the buffer size - this allows for
975 every single character to be quoted or encoded without overflowing, and that
976 wouldn't happen because of amalgamation. If the phrase is too long, return a
977 fixed string.
978
979 Arguments:
980 phrase an RFC822 phrase
981 len the length of the phrase
982 buffer a buffer to put the result in
983 buffer_size the size of the buffer
984
985 Returns: the fixed RFC822 phrase
986 */
987
988 const uschar *
989 parse_fix_phrase(const uschar *phrase, int len, uschar *buffer, int buffer_size)
990 {
991 int ch, i;
992 BOOL quoted = FALSE;
993 const uschar *s, *end;
994 uschar *t, *yield;
995
996 while (len > 0 && isspace(*phrase)) { phrase++; len--; }
997 if (len > buffer_size/4) return US"Name too long";
998
999 /* See if there are any non-printing characters, and if so, use the RFC 2047
1000 encoding for the whole thing. */
1001
1002 for (i = 0, s = phrase; i < len; i++, s++)
1003 if ((*s < 32 && *s != '\t') || *s > 126) break;
1004
1005 if (i < len) return parse_quote_2047(phrase, len, headers_charset, buffer,
1006 buffer_size, FALSE);
1007
1008 /* No non-printers; use the RFC 822 quoting rules */
1009
1010 s = phrase;
1011 end = s + len;
1012 yield = t = buffer + 1;
1013
1014 while (s < end)
1015 {
1016 ch = *s++;
1017
1018 /* Copy over quoted strings, remembering we encountered one */
1019
1020 if (ch == '\"')
1021 {
1022 *t++ = '\"';
1023 while (s < end && (ch = *s++) != '\"')
1024 {
1025 *t++ = ch;
1026 if (ch == '\\' && s < end) *t++ = *s++;
1027 }
1028 *t++ = '\"';
1029 if (s >= end) break;
1030 quoted = TRUE;
1031 }
1032
1033 /* Copy over comments, noting if they contain freestanding quote
1034 characters */
1035
1036 else if (ch == '(')
1037 {
1038 int level = 1;
1039 *t++ = '(';
1040 while (s < end)
1041 {
1042 ch = *s++;
1043 *t++ = ch;
1044 if (ch == '(') level++;
1045 else if (ch == ')') { if (--level <= 0) break; }
1046 else if (ch == '\\' && s < end) *t++ = *s++ & 127;
1047 else if (ch == '\"') quoted = TRUE;
1048 }
1049 if (ch == 0)
1050 {
1051 while (level--) *t++ = ')';
1052 break;
1053 }
1054 }
1055
1056 /* Handle special characters that need to be quoted */
1057
1058 else if (Ustrchr(")<>@,;:\\.[]", ch) != NULL)
1059 {
1060 /* If hit previous quotes just make one quoted "word" */
1061
1062 if (quoted)
1063 {
1064 uschar *tt = t++;
1065 while (*(--tt) != ' ' && *tt != '\"' && *tt != ')') tt[1] = *tt;
1066 tt[1] = '\"';
1067 *t++ = ch;
1068 while (s < end)
1069 {
1070 ch = *s++;
1071 if (ch == ' ' || ch == '\"') { s--; break; } else *t++ = ch;
1072 }
1073 *t++ = '\"';
1074 }
1075
1076 /* Else quote the whole string so far, and the rest up to any following
1077 quotes. We must treat anything following a backslash as a literal. */
1078
1079 else
1080 {
1081 BOOL escaped = (ch == '\\');
1082 *(--yield) = '\"';
1083 *t++ = ch;
1084
1085 /* Now look for the end or a quote */
1086
1087 while (s < end)
1088 {
1089 ch = *s++;
1090
1091 /* Handle escaped pairs */
1092
1093 if (escaped)
1094 {
1095 *t++ = ch;
1096 escaped = FALSE;
1097 }
1098
1099 else if (ch == '\\')
1100 {
1101 *t++ = ch;
1102 escaped = TRUE;
1103 }
1104
1105 /* If hit subsequent quotes, insert our quote before any trailing
1106 spaces and back up to re-handle the quote in the outer loop. */
1107
1108 else if (ch == '\"')
1109 {
1110 int count = 0;
1111 while (t[-1] == ' ') { t--; count++; }
1112 *t++ = '\"';
1113 while (count-- > 0) *t++ = ' ';
1114 s--;
1115 break;
1116 }
1117
1118 /* If hit a subsequent comment, check it for unescaped quotes,
1119 and if so, end our quote before it. */
1120
1121 else if (ch == '(')
1122 {
1123 const uschar *ss = s; /* uschar after '(' */
1124 int level = 1;
1125 while(ss < end)
1126 {
1127 ch = *ss++;
1128 if (ch == '(') level++;
1129 else if (ch == ')') { if (--level <= 0) break; }
1130 else if (ch == '\\' && ss+1 < end) ss++;
1131 else if (ch == '\"') { quoted = TRUE; break; }
1132 }
1133
1134 /* Comment contains unescaped quotes; end our quote before
1135 the start of the comment. */
1136
1137 if (quoted)
1138 {
1139 int count = 0;
1140 while (t[-1] == ' ') { t--; count++; }
1141 *t++ = '\"';
1142 while (count-- > 0) *t++ = ' ';
1143 break;
1144 }
1145
1146 /* Comment does not contain unescaped quotes; include it in
1147 our quote. */
1148
1149 else
1150 {
1151 if (ss >= end) ss--;
1152 *t++ = '(';
1153 Ustrncpy(t, s, ss-s);
1154 t += ss-s;
1155 s = ss;
1156 }
1157 }
1158
1159 /* Not a comment or quote; include this character in our quotes. */
1160
1161 else *t++ = ch;
1162 }
1163 }
1164
1165 /* Add a final quote if we hit the end of the string. */
1166
1167 if (s >= end) *t++ = '\"';
1168 }
1169
1170 /* Non-special character; just copy it over */
1171
1172 else *t++ = ch;
1173 }
1174
1175 *t = 0;
1176 return yield;
1177 }
1178
1179
1180 /*************************************************
1181 * Extract addresses from a list *
1182 *************************************************/
1183
1184 /* This function is called by the redirect router to scan a string containing a
1185 list of addresses separated by commas (with optional white space) or by
1186 newlines, and to generate a chain of address items from them. In other words,
1187 to unpick data from an alias or .forward file.
1188
1189 The SunOS5 documentation for alias files is not very clear on the syntax; it
1190 does not say that either a comma or a newline can be used for separation.
1191 However, that is the way Smail does it, so we follow suit.
1192
1193 If a # character is encountered in a white space position, then characters from
1194 there to the next newline are skipped.
1195
1196 If an unqualified address begins with '\', just skip that character. This gives
1197 compatibility with Sendmail's use of \ to prevent looping. Exim has its own
1198 loop prevention scheme which handles other cases too - see the code in
1199 route_address().
1200
1201 An "address" can be a specification of a file or a pipe; the latter may often
1202 need to be quoted because it may contain spaces, but we don't want to retain
1203 the quotes. Quotes may appear in normal addresses too, and should be retained.
1204 We can distinguish between these cases, because in addresses, quotes are used
1205 only for parts of the address, not the whole thing. Therefore, we remove quotes
1206 from items when they entirely enclose them, but not otherwise.
1207
1208 An "address" can also be of the form :include:pathname to include a list of
1209 addresses contained in the specified file.
1210
1211 Any unqualified addresses are qualified with and rewritten if necessary, via
1212 the rewrite_address() function.
1213
1214 Arguments:
1215 s the list of addresses (typically a complete
1216 .forward file or a list of entries in an alias file)
1217 options option bits for permitting or denying various special cases;
1218 not all bits are relevant here - some are for filter
1219 files; those we use here are:
1220 RDO_DEFER
1221 RDO_FREEZE
1222 RDO_FAIL
1223 RDO_BLACKHOLE
1224 RDO_REWRITE
1225 RDO_INCLUDE
1226 anchor where to hang the chain of newly-created addresses. This
1227 should be initialized to NULL.
1228 error where to return an error text
1229 incoming domain domain of the incoming address; used to qualify unqualified
1230 local parts preceded by \
1231 directory if NULL, no checks are done on :include: files
1232 otherwise, included file names must start with the given
1233 directory
1234 syntax_errors if not NULL, it carries on after syntax errors in addresses,
1235 building up a list of errors as error blocks chained on
1236 here.
1237
1238 Returns: FF_DELIVERED addresses extracted
1239 FF_NOTDELIVERED no addresses extracted, but no errors
1240 FF_BLACKHOLE :blackhole:
1241 FF_DEFER :defer:
1242 FF_FAIL :fail:
1243 FF_INCLUDEFAIL some problem with :include:; *error set
1244 FF_ERROR other problems; *error is set
1245 */
1246
1247 int
1248 parse_forward_list(uschar *s, int options, address_item **anchor,
1249 uschar **error, const uschar *incoming_domain, uschar *directory,
1250 error_block **syntax_errors)
1251 {
1252 int count = 0;
1253
1254 DEBUG(D_route) debug_printf("parse_forward_list: %s\n", s);
1255
1256 for (;;)
1257 {
1258 int len;
1259 int special = 0;
1260 int specopt = 0;
1261 int specbit = 0;
1262 uschar *ss, *nexts;
1263 address_item *addr;
1264 BOOL inquote = FALSE;
1265
1266 for (;;)
1267 {
1268 while (isspace(*s) || *s == ',') s++;
1269 if (*s == '#') { while (*s != 0 && *s != '\n') s++; } else break;
1270 }
1271
1272 /* When we reach the end of the list, we return FF_DELIVERED if any child
1273 addresses have been generated. If nothing has been generated, there are two
1274 possibilities: either the list is really empty, or there were syntax errors
1275 that are being skipped. (If syntax errors are not being skipped, an FF_ERROR
1276 return is generated on hitting a syntax error and we don't get here.) For a
1277 truly empty list we return FF_NOTDELIVERED so that the router can decline.
1278 However, if the list is empty only because syntax errors were skipped, we
1279 return FF_DELIVERED. */
1280
1281 if (*s == 0)
1282 {
1283 return (count > 0 || (syntax_errors != NULL && *syntax_errors != NULL))?
1284 FF_DELIVERED : FF_NOTDELIVERED;
1285
1286 /* This previous code returns FF_ERROR if nothing is generated but a
1287 syntax error has been skipped. I now think it is the wrong approach, but
1288 have left this here just in case, and for the record. */
1289
1290 #ifdef NEVER
1291 if (count > 0) return FF_DELIVERED; /* Something was generated */
1292
1293 if (syntax_errors == NULL || /* Not skipping syntax errors, or */
1294 *syntax_errors == NULL) /* we didn't actually skip any */
1295 return FF_NOTDELIVERED;
1296
1297 *error = string_sprintf("no addresses generated: syntax error in %s: %s",
1298 (*syntax_errors)->text2, (*syntax_errors)->text1);
1299 return FF_ERROR;
1300 #endif
1301
1302 }
1303
1304 /* Find the end of the next address. Quoted strings in addresses may contain
1305 escaped characters; I haven't found a proper specification of .forward or
1306 alias files that mentions the quoting properties, but it seems right to do
1307 the escaping thing in all cases, so use the function that finds the end of an
1308 address. However, don't let a quoted string extend over the end of a line. */
1309
1310 ss = parse_find_address_end(s, TRUE);
1311
1312 /* Remember where we finished, for starting the next one. */
1313
1314 nexts = ss;
1315
1316 /* Remove any trailing spaces; we know there's at least one non-space. */
1317
1318 while (isspace((ss[-1]))) ss--;
1319
1320 /* We now have s->start and ss->end of the next address. Remove quotes
1321 if they completely enclose, remembering the address started with a quote
1322 for handling pipes and files. Another round of removal of leading and
1323 trailing spaces is then required. */
1324
1325 if (*s == '\"' && ss[-1] == '\"')
1326 {
1327 s++;
1328 ss--;
1329 inquote = TRUE;
1330 while (s < ss && isspace(*s)) s++;
1331 while (ss > s && isspace((ss[-1]))) ss--;
1332 }
1333
1334 /* Set up the length of the address. */
1335
1336 len = ss - s;
1337
1338 DEBUG(D_route)
1339 {
1340 int save = s[len];
1341 s[len] = 0;
1342 debug_printf("extract item: %s\n", s);
1343 s[len] = save;
1344 }
1345
1346 /* Handle special addresses if permitted. If the address is :unknown:
1347 ignore it - this is for backward compatibility with old alias files. You
1348 don't need to use it nowadays - just generate an empty string. For :defer:,
1349 :blackhole:, or :fail: we have to set up the error message and give up right
1350 away. */
1351
1352 if (Ustrncmp(s, ":unknown:", len) == 0)
1353 {
1354 s = nexts;
1355 continue;
1356 }
1357
1358 if (Ustrncmp(s, ":defer:", 7) == 0)
1359 { special = FF_DEFER; specopt = RDO_DEFER; } /* specbit is 0 */
1360 else if (Ustrncmp(s, ":blackhole:", 11) == 0)
1361 { special = FF_BLACKHOLE; specopt = specbit = RDO_BLACKHOLE; }
1362 else if (Ustrncmp(s, ":fail:", 6) == 0)
1363 { special = FF_FAIL; specopt = RDO_FAIL; } /* specbit is 0 */
1364
1365 if (special != 0)
1366 {
1367 uschar *ss = Ustrchr(s+1, ':') + 1;
1368 if ((options & specopt) == specbit)
1369 {
1370 *error = string_sprintf("\"%.*s\" is not permitted", len, s);
1371 return FF_ERROR;
1372 }
1373 while (*ss != 0 && isspace(*ss)) ss++;
1374 while (s[len] != 0 && s[len] != '\n') len++;
1375 s[len] = 0;
1376 *error = string_copy(ss);
1377 return special;
1378 }
1379
1380 /* If the address is of the form :include:pathname, read the file, and call
1381 this function recursively to extract the addresses from it. If directory is
1382 NULL, do no checks. Otherwise, insist that the file name starts with the
1383 given directory and is a regular file. */
1384
1385 if (Ustrncmp(s, ":include:", 9) == 0)
1386 {
1387 uschar *filebuf;
1388 uschar filename[256];
1389 uschar *t = s+9;
1390 int flen = len - 9;
1391 int frc;
1392 struct stat statbuf;
1393 address_item *last;
1394 FILE *f;
1395
1396 while (flen > 0 && isspace(*t)) { t++; flen--; }
1397
1398 if (flen <= 0)
1399 {
1400 *error = string_sprintf("file name missing after :include:");
1401 return FF_ERROR;
1402 }
1403
1404 if (flen > 255)
1405 {
1406 *error = string_sprintf("included file name \"%s\" is too long", t);
1407 return FF_ERROR;
1408 }
1409
1410 Ustrncpy(filename, t, flen);
1411 filename[flen] = 0;
1412
1413 /* Insist on absolute path */
1414
1415 if (filename[0]!= '/')
1416 {
1417 *error = string_sprintf("included file \"%s\" is not an absolute path",
1418 filename);
1419 return FF_ERROR;
1420 }
1421
1422 /* Check if include is permitted */
1423
1424 if ((options & RDO_INCLUDE) != 0)
1425 {
1426 *error = US"included files not permitted";
1427 return FF_ERROR;
1428 }
1429
1430 /* Check file name if required */
1431
1432 if (directory != NULL)
1433 {
1434 int len = Ustrlen(directory);
1435 uschar *p = filename + len;
1436
1437 if (Ustrncmp(filename, directory, len) != 0 || *p != '/')
1438 {
1439 *error = string_sprintf("included file %s is not in directory %s",
1440 filename, directory);
1441 return FF_ERROR;
1442 }
1443
1444 /* It is necessary to check that every component inside the directory
1445 is NOT a symbolic link, in order to keep the file inside the directory.
1446 This is mighty tedious. It is also not totally foolproof in that it
1447 leaves the possibility of a race attack, but I don't know how to do
1448 any better. */
1449
1450 while (*p != 0)
1451 {
1452 int temp;
1453 while (*(++p) != 0 && *p != '/');
1454 temp = *p;
1455 *p = 0;
1456 if (Ulstat(filename, &statbuf) != 0)
1457 {
1458 *error = string_sprintf("failed to stat %s (component of included "
1459 "file)", filename);
1460 *p = temp;
1461 return FF_ERROR;
1462 }
1463
1464 *p = temp;
1465
1466 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1467 {
1468 *error = string_sprintf("included file %s in the %s directory "
1469 "involves a symbolic link", filename, directory);
1470 return FF_ERROR;
1471 }
1472 }
1473 }
1474
1475 /* Open and stat the file */
1476
1477 if ((f = Ufopen(filename, "rb")) == NULL)
1478 {
1479 *error = string_open_failed(errno, "included file %s", filename);
1480 return FF_INCLUDEFAIL;
1481 }
1482
1483 if (fstat(fileno(f), &statbuf) != 0)
1484 {
1485 *error = string_sprintf("failed to stat included file %s: %s",
1486 filename, strerror(errno));
1487 (void)fclose(f);
1488 return FF_INCLUDEFAIL;
1489 }
1490
1491 /* If directory was checked, double check that we opened a regular file */
1492
1493 if (directory != NULL && (statbuf.st_mode & S_IFMT) != S_IFREG)
1494 {
1495 *error = string_sprintf("included file %s is not a regular file in "
1496 "the %s directory", filename, directory);
1497 return FF_ERROR;
1498 }
1499
1500 /* Get a buffer and read the contents */
1501
1502 if (statbuf.st_size > MAX_INCLUDE_SIZE)
1503 {
1504 *error = string_sprintf("included file %s is too big (max %d)",
1505 filename, MAX_INCLUDE_SIZE);
1506 return FF_ERROR;
1507 }
1508
1509 filebuf = store_get(statbuf.st_size + 1);
1510 if (fread(filebuf, 1, statbuf.st_size, f) != statbuf.st_size)
1511 {
1512 *error = string_sprintf("error while reading included file %s: %s",
1513 filename, strerror(errno));
1514 (void)fclose(f);
1515 return FF_ERROR;
1516 }
1517 filebuf[statbuf.st_size] = 0;
1518 (void)fclose(f);
1519
1520 addr = NULL;
1521 frc = parse_forward_list(filebuf, options, &addr,
1522 error, incoming_domain, directory, syntax_errors);
1523 if (frc != FF_DELIVERED && frc != FF_NOTDELIVERED) return frc;
1524
1525 if (addr != NULL)
1526 {
1527 last = addr;
1528 while (last->next != NULL) { count++; last = last->next; }
1529 last->next = *anchor;
1530 *anchor = addr;
1531 count++;
1532 }
1533 }
1534
1535 /* Else (not :include:) ensure address is syntactically correct and fully
1536 qualified if not a pipe or a file, removing a leading \ if present on an
1537 unqualified address. For pipes and files we must handle quoting. It's
1538 not quite clear exactly what to do for partially quoted things, but the
1539 common case of having the whole thing in quotes is straightforward. If this
1540 was the case, inquote will have been set TRUE above and the quotes removed.
1541
1542 There is a possible ambiguity over addresses whose local parts start with
1543 a vertical bar or a slash, and the latter do in fact occur, thanks to X.400.
1544 Consider a .forward file that contains the line
1545
1546 /X=xxx/Y=xxx/OU=xxx/@some.gate.way
1547
1548 Is this a file or an X.400 address? Does it make any difference if it is in
1549 quotes? On the grounds that file names of this type are rare, Exim treats
1550 something that parses as an RFC 822 address and has a domain as an address
1551 rather than a file or a pipe. This is also how an address such as the above
1552 would be treated if it came in from outside. */
1553
1554 else
1555 {
1556 int start, end, domain;
1557 uschar *recipient = NULL;
1558 int save = s[len];
1559 s[len] = 0;
1560
1561 /* If it starts with \ and the rest of it parses as a valid mail address
1562 without a domain, carry on with that address, but qualify it with the
1563 incoming domain. Otherwise arrange for the address to fall through,
1564 causing an error message on the re-parse. */
1565
1566 if (*s == '\\')
1567 {
1568 recipient =
1569 parse_extract_address(s+1, error, &start, &end, &domain, FALSE);
1570 if (recipient != NULL)
1571 recipient = (domain != 0)? NULL :
1572 string_sprintf("%s@%s", recipient, incoming_domain);
1573 }
1574
1575 /* Try parsing the item as an address. */
1576
1577 if (recipient == NULL) recipient =
1578 parse_extract_address(s, error, &start, &end, &domain, FALSE);
1579
1580 /* If item starts with / or | and is not a valid address, or there
1581 is no domain, treat it as a file or pipe. If it was a quoted item,
1582 remove the quoting occurrences of \ within it. */
1583
1584 if ((*s == '|' || *s == '/') && (recipient == NULL || domain == 0))
1585 {
1586 uschar *t = store_get(Ustrlen(s) + 1);
1587 uschar *p = t;
1588 uschar *q = s;
1589 while (*q != 0)
1590 {
1591 if (inquote)
1592 {
1593 *p++ = (*q == '\\')? *(++q) : *q;
1594 q++;
1595 }
1596 else *p++ = *q++;
1597 }
1598 *p = 0;
1599 addr = deliver_make_addr(t, TRUE);
1600 setflag(addr, af_pfr); /* indicates pipe/file/reply */
1601 if (*s != '|') setflag(addr, af_file); /* indicates file */
1602 }
1603
1604 /* Item must be an address. Complain if not, else qualify, rewrite and set
1605 up the control block. It appears that people are in the habit of using
1606 empty addresses but with comments as a way of putting comments into
1607 alias and forward files. Therefore, ignore the error "empty address".
1608 Mailing lists might want to tolerate syntax errors; there is therefore
1609 an option to do so. */
1610
1611 else
1612 {
1613 if (recipient == NULL)
1614 {
1615 if (Ustrcmp(*error, "empty address") == 0)
1616 {
1617 *error = NULL;
1618 s[len] = save;
1619 s = nexts;
1620 continue;
1621 }
1622
1623 if (syntax_errors != NULL)
1624 {
1625 error_block *e = store_get(sizeof(error_block));
1626 error_block *last = *syntax_errors;
1627 if (last == NULL) *syntax_errors = e; else
1628 {
1629 while (last->next != NULL) last = last->next;
1630 last->next = e;
1631 }
1632 e->next = NULL;
1633 e->text1 = *error;
1634 e->text2 = string_copy(s);
1635 s[len] = save;
1636 s = nexts;
1637 continue;
1638 }
1639 else
1640 {
1641 *error = string_sprintf("%s in \"%s\"", *error, s);
1642 s[len] = save; /* _after_ using it for *error */
1643 return FF_ERROR;
1644 }
1645 }
1646
1647 /* Address was successfully parsed. Rewrite, and then make an address
1648 block. */
1649
1650 recipient = ((options & RDO_REWRITE) != 0)?
1651 rewrite_address(recipient, TRUE, FALSE, global_rewrite_rules,
1652 rewrite_existflags) :
1653 rewrite_address_qualify(recipient, TRUE);
1654 addr = deliver_make_addr(recipient, TRUE); /* TRUE => copy recipient */
1655 }
1656
1657 /* Restore the final character in the original data, and add to the
1658 output chain. */
1659
1660 s[len] = save;
1661 addr->next = *anchor;
1662 *anchor = addr;
1663 count++;
1664 }
1665
1666 /* Advance pointer for the next address */
1667
1668 s = nexts;
1669 }
1670 }
1671
1672
1673 /*************************************************
1674 * Extract a Message-ID *
1675 *************************************************/
1676
1677 /* This function is used to extract message ids from In-Reply-To: and
1678 References: header lines.
1679
1680 Arguments:
1681 str pointer to the start of the message-id
1682 yield put pointer to the message id (in dynamic memory) here
1683 error put error message here on failure
1684
1685 Returns: points after the processed message-id or NULL on error
1686 */
1687
1688 uschar *
1689 parse_message_id(uschar *str, uschar **yield, uschar **error)
1690 {
1691 uschar *domain = NULL;
1692 uschar *id;
1693
1694 str = skip_comment(str);
1695 if (*str != '<')
1696 {
1697 *error = US"Missing '<' before message-id";
1698 return NULL;
1699 }
1700
1701 /* Getting a block the size of the input string will definitely be sufficient
1702 for the answer, but it may also be very long if we are processing a header
1703 line. Therefore, take care to release unwanted store afterwards. */
1704
1705 id = *yield = store_get(Ustrlen(str) + 1);
1706 *id++ = *str++;
1707
1708 str = read_addr_spec(str, id, '>', error, &domain);
1709
1710 if (*error == NULL)
1711 {
1712 if (*str != '>') *error = US"Missing '>' after message-id";
1713 else if (domain == NULL) *error = US"domain missing in message-id";
1714 }
1715
1716 if (*error != NULL)
1717 {
1718 store_reset(*yield);
1719 return NULL;
1720 }
1721
1722 while (*id != 0) id++;
1723 *id++ = *str++;
1724 *id++ = 0;
1725 store_reset(id);
1726
1727 str = skip_comment(str);
1728 return str;
1729 }
1730
1731
1732 /*************************************************
1733 * Parse a fixed digit number *
1734 *************************************************/
1735
1736 /* Parse a string containing an ASCII encoded fixed digits number
1737
1738 Arguments:
1739 str pointer to the start of the ASCII encoded number
1740 n pointer to the resulting value
1741 digits number of required digits
1742
1743 Returns: points after the processed date or NULL on error
1744 */
1745
1746 static uschar *
1747 parse_number(uschar *str, int *n, int digits)
1748 {
1749 *n=0;
1750 while (digits--)
1751 {
1752 if (*str<'0' || *str>'9') return NULL;
1753 *n=10*(*n)+(*str++-'0');
1754 }
1755 return str;
1756 }
1757
1758
1759 /*************************************************
1760 * Parse a RFC 2822 day of week *
1761 *************************************************/
1762
1763 /* Parse the day of the week from a RFC 2822 date, but do not
1764 decode it, because it is only for humans.
1765
1766 Arguments:
1767 str pointer to the start of the day of the week
1768
1769 Returns: points after the parsed day or NULL on error
1770 */
1771
1772 static uschar *
1773 parse_day_of_week(uschar *str)
1774 {
1775 /*
1776 day-of-week = ([FWS] day-name) / obs-day-of-week
1777
1778 day-name = "Mon" / "Tue" / "Wed" / "Thu" /
1779 "Fri" / "Sat" / "Sun"
1780
1781 obs-day-of-week = [CFWS] day-name [CFWS]
1782 */
1783
1784 static const uschar *day_name[7]={ US"mon", US"tue", US"wed", US"thu", US"fri", US"sat", US"sun" };
1785 int i;
1786 uschar day[4];
1787
1788 str=skip_comment(str);
1789 for (i=0; i<3; ++i)
1790 {
1791 if ((day[i]=tolower(*str))=='\0') return NULL;
1792 ++str;
1793 }
1794 day[3]='\0';
1795 for (i=0; i<7; ++i) if (Ustrcmp(day,day_name[i])==0) break;
1796 if (i==7) return NULL;
1797 str=skip_comment(str);
1798 return str;
1799 }
1800
1801
1802 /*************************************************
1803 * Parse a RFC 2822 date *
1804 *************************************************/
1805
1806 /* Parse the date part of a RFC 2822 date-time, extracting the
1807 day, month and year.
1808
1809 Arguments:
1810 str pointer to the start of the date
1811 d pointer to the resulting day
1812 m pointer to the resulting month
1813 y pointer to the resulting year
1814
1815 Returns: points after the processed date or NULL on error
1816 */
1817
1818 static uschar *
1819 parse_date(uschar *str, int *d, int *m, int *y)
1820 {
1821 /*
1822 date = day month year
1823
1824 year = 4*DIGIT / obs-year
1825
1826 obs-year = [CFWS] 2*DIGIT [CFWS]
1827
1828 month = (FWS month-name FWS) / obs-month
1829
1830 month-name = "Jan" / "Feb" / "Mar" / "Apr" /
1831 "May" / "Jun" / "Jul" / "Aug" /
1832 "Sep" / "Oct" / "Nov" / "Dec"
1833
1834 obs-month = CFWS month-name CFWS
1835
1836 day = ([FWS] 1*2DIGIT) / obs-day
1837
1838 obs-day = [CFWS] 1*2DIGIT [CFWS]
1839 */
1840
1841 uschar *c,*n;
1842 static const uschar *month_name[]={ US"jan", US"feb", US"mar", US"apr", US"may", US"jun", US"jul", US"aug", US"sep", US"oct", US"nov", US"dec" };
1843 int i;
1844 uschar month[4];
1845
1846 str=skip_comment(str);
1847 if ((str=parse_number(str,d,1))==NULL) return NULL;
1848 if (*str>='0' && *str<='9') *d=10*(*d)+(*str++-'0');
1849 c=skip_comment(str);
1850 if (c==str) return NULL;
1851 else str=c;
1852 for (i=0; i<3; ++i) if ((month[i]=tolower(*(str+i)))=='\0') return NULL;
1853 month[3]='\0';
1854 for (i=0; i<12; ++i) if (Ustrcmp(month,month_name[i])==0) break;
1855 if (i==12) return NULL;
1856 str+=3;
1857 *m=i;
1858 c=skip_comment(str);
1859 if (c==str) return NULL;
1860 else str=c;
1861 if ((n=parse_number(str,y,4)))
1862 {
1863 str=n;
1864 if (*y<1900) return NULL;
1865 *y=*y-1900;
1866 }
1867 else if ((n=parse_number(str,y,2)))
1868 {
1869 str=skip_comment(n);
1870 while (*(str-1)==' ' || *(str-1)=='\t') --str; /* match last FWS later */
1871 if (*y<50) *y+=100;
1872 }
1873 else return NULL;
1874 return str;
1875 }
1876
1877
1878 /*************************************************
1879 * Parse a RFC 2822 Time *
1880 *************************************************/
1881
1882 /* Parse the time part of a RFC 2822 date-time, extracting the
1883 hour, minute, second and timezone.
1884
1885 Arguments:
1886 str pointer to the start of the time
1887 h pointer to the resulting hour
1888 m pointer to the resulting minute
1889 s pointer to the resulting second
1890 z pointer to the resulting timezone (offset in seconds)
1891
1892 Returns: points after the processed time or NULL on error
1893 */
1894
1895 static uschar *
1896 parse_time(uschar *str, int *h, int *m, int *s, int *z)
1897 {
1898 /*
1899 time = time-of-day FWS zone
1900
1901 time-of-day = hour ":" minute [ ":" second ]
1902
1903 hour = 2DIGIT / obs-hour
1904
1905 obs-hour = [CFWS] 2DIGIT [CFWS]
1906
1907 minute = 2DIGIT / obs-minute
1908
1909 obs-minute = [CFWS] 2DIGIT [CFWS]
1910
1911 second = 2DIGIT / obs-second
1912
1913 obs-second = [CFWS] 2DIGIT [CFWS]
1914
1915 zone = (( "+" / "-" ) 4DIGIT) / obs-zone
1916
1917 obs-zone = "UT" / "GMT" / ; Universal Time
1918 ; North American UT
1919 ; offsets
1920 "EST" / "EDT" / ; Eastern: - 5/ - 4
1921 "CST" / "CDT" / ; Central: - 6/ - 5
1922 "MST" / "MDT" / ; Mountain: - 7/ - 6
1923 "PST" / "PDT" / ; Pacific: - 8/ - 7
1924
1925 %d65-73 / ; Military zones - "A"
1926 %d75-90 / ; through "I" and "K"
1927 %d97-105 / ; through "Z", both
1928 %d107-122 ; upper and lower case
1929 */
1930
1931 uschar *c;
1932
1933 str=skip_comment(str);
1934 if ((str=parse_number(str,h,2))==NULL) return NULL;
1935 str=skip_comment(str);
1936 if (*str!=':') return NULL;
1937 ++str;
1938 str=skip_comment(str);
1939 if ((str=parse_number(str,m,2))==NULL) return NULL;
1940 c=skip_comment(str);
1941 if (*str==':')
1942 {
1943 ++str;
1944 str=skip_comment(str);
1945 if ((str=parse_number(str,s,2))==NULL) return NULL;
1946 c=skip_comment(str);
1947 }
1948 if (c==str) return NULL;
1949 else str=c;
1950 if (*str=='+' || *str=='-')
1951 {
1952 int neg;
1953
1954 neg=(*str=='-');
1955 ++str;
1956 if ((str=parse_number(str,z,4))==NULL) return NULL;
1957 *z=(*z/100)*3600+(*z%100)*60;
1958 if (neg) *z=-*z;
1959 }
1960 else
1961 {
1962 char zone[5];
1963 struct { const char *name; int off; } zone_name[10]=
1964 { {"gmt",0}, {"ut",0}, {"est",-5}, {"edt",-4}, {"cst",-6}, {"cdt",-5}, {"mst",-7}, {"mdt",-6}, {"pst",-8}, {"pdt",-7}};
1965 int i,j;
1966
1967 for (i=0; i<4; ++i)
1968 {
1969 zone[i]=tolower(*(str+i));
1970 if (zone[i]<'a' || zone[i]>'z') break;
1971 }
1972 zone[i]='\0';
1973 for (j=0; j<10 && strcmp(zone,zone_name[j].name); ++j);
1974 /* Besides zones named in the grammar, RFC 2822 says other alphabetic */
1975 /* time zones should be treated as unknown offsets. */
1976 if (j<10)
1977 {
1978 *z=zone_name[j].off*3600;
1979 str+=i;
1980 }
1981 else if (zone[0]<'a' || zone[1]>'z') return 0;
1982 else
1983 {
1984 while ((*str>='a' && *str<='z') || (*str>='A' && *str<='Z')) ++str;
1985 *z=0;
1986 }
1987 }
1988 return str;
1989 }
1990
1991
1992 /*************************************************
1993 * Parse a RFC 2822 date-time *
1994 *************************************************/
1995
1996 /* Parse a RFC 2822 date-time and return it in seconds since the epoch.
1997
1998 Arguments:
1999 str pointer to the start of the date-time
2000 t pointer to the parsed time
2001
2002 Returns: points after the processed date-time or NULL on error
2003 */
2004
2005 uschar *
2006 parse_date_time(uschar *str, time_t *t)
2007 {
2008 /*
2009 date-time = [ day-of-week "," ] date FWS time [CFWS]
2010 */
2011
2012 struct tm tm;
2013 int zone;
2014 extern char **environ;
2015 char **old_environ;
2016 static char gmt0[]="TZ=GMT0";
2017 static char *gmt_env[]={ gmt0, (char*)0 };
2018 uschar *try;
2019
2020 if ((try=parse_day_of_week(str)))
2021 {
2022 str=try;
2023 if (*str!=',') return 0;
2024 ++str;
2025 }
2026 if ((str=parse_date(str,&tm.tm_mday,&tm.tm_mon,&tm.tm_year))==NULL) return NULL;
2027 if (*str!=' ' && *str!='\t') return NULL;
2028 while (*str==' ' || *str=='\t') ++str;
2029 if ((str=parse_time(str,&tm.tm_hour,&tm.tm_min,&tm.tm_sec,&zone))==NULL) return NULL;
2030 tm.tm_isdst=0;
2031 old_environ=environ;
2032 environ=gmt_env;
2033 *t=mktime(&tm);
2034 environ=old_environ;
2035 if (*t==-1) return NULL;
2036 *t-=zone;
2037 str=skip_comment(str);
2038 return str;
2039 }
2040
2041
2042
2043
2044 /*************************************************
2045 **************************************************
2046 * Stand-alone test program *
2047 **************************************************
2048 *************************************************/
2049
2050 #if defined STAND_ALONE
2051 int main(void)
2052 {
2053 int start, end, domain;
2054 uschar buffer[1024];
2055 uschar outbuff[1024];
2056
2057 big_buffer = store_malloc(big_buffer_size);
2058
2059 /* strip_trailing_dot = TRUE; */
2060 allow_domain_literals = TRUE;
2061
2062 printf("Testing parse_fix_phrase\n");
2063
2064 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2065 {
2066 buffer[Ustrlen(buffer)-1] = 0;
2067 if (buffer[0] == 0) break;
2068 printf("%s\n", CS parse_fix_phrase(buffer, Ustrlen(buffer), outbuff,
2069 sizeof(outbuff)));
2070 }
2071
2072 printf("Testing parse_extract_address without group syntax and without UTF-8\n");
2073
2074 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2075 {
2076 uschar *out;
2077 uschar *errmess;
2078 buffer[Ustrlen(buffer) - 1] = 0;
2079 if (buffer[0] == 0) break;
2080 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2081 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2082 {
2083 uschar extract[1024];
2084 Ustrncpy(extract, buffer+start, end-start);
2085 extract[end-start] = 0;
2086 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2087 }
2088 }
2089
2090 printf("Testing parse_extract_address without group syntax but with UTF-8\n");
2091
2092 allow_utf8_domains = TRUE;
2093 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2094 {
2095 uschar *out;
2096 uschar *errmess;
2097 buffer[Ustrlen(buffer) - 1] = 0;
2098 if (buffer[0] == 0) break;
2099 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2100 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2101 {
2102 uschar extract[1024];
2103 Ustrncpy(extract, buffer+start, end-start);
2104 extract[end-start] = 0;
2105 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2106 }
2107 }
2108 allow_utf8_domains = FALSE;
2109
2110 printf("Testing parse_extract_address with group syntax\n");
2111
2112 parse_allow_group = TRUE;
2113 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2114 {
2115 uschar *out;
2116 uschar *errmess;
2117 uschar *s;
2118 buffer[Ustrlen(buffer) - 1] = 0;
2119 if (buffer[0] == 0) break;
2120 s = buffer;
2121 while (*s != 0)
2122 {
2123 uschar *ss = parse_find_address_end(s, FALSE);
2124 int terminator = *ss;
2125 *ss = 0;
2126 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2127 *ss = terminator;
2128
2129 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2130 {
2131 uschar extract[1024];
2132 Ustrncpy(extract, buffer+start, end-start);
2133 extract[end-start] = 0;
2134 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2135 }
2136
2137 s = ss + (terminator? 1:0);
2138 while (isspace(*s)) s++;
2139 }
2140 }
2141
2142 printf("Testing parse_find_at\n");
2143
2144 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2145 {
2146 uschar *s;
2147 buffer[Ustrlen(buffer)-1] = 0;
2148 if (buffer[0] == 0) break;
2149 s = parse_find_at(buffer);
2150 if (s == NULL) printf("no @ found\n");
2151 else printf("offset = %d\n", s - buffer);
2152 }
2153
2154 printf("Testing parse_extract_addresses\n");
2155
2156 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2157 {
2158 uschar *errmess;
2159 int extracted;
2160 address_item *anchor = NULL;
2161 buffer[Ustrlen(buffer) - 1] = 0;
2162 if (buffer[0] == 0) break;
2163 if ((extracted = parse_forward_list(buffer, -1, &anchor,
2164 &errmess, US"incoming.domain", NULL, NULL)) == FF_DELIVERED)
2165 {
2166 while (anchor != NULL)
2167 {
2168 address_item *addr = anchor;
2169 anchor = anchor->next;
2170 printf("%d %s\n", testflag(addr, af_pfr), addr->address);
2171 }
2172 }
2173 else printf("Failed: %d %s\n", extracted, errmess);
2174 }
2175
2176 printf("Testing parse_message_id\n");
2177
2178 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2179 {
2180 uschar *s, *t, *errmess;
2181 buffer[Ustrlen(buffer) - 1] = 0;
2182 if (buffer[0] == 0) break;
2183 s = buffer;
2184 while (*s != 0)
2185 {
2186 s = parse_message_id(s, &t, &errmess);
2187 if (errmess != NULL)
2188 {
2189 printf("Failed: %s\n", errmess);
2190 break;
2191 }
2192 printf("%s\n", t);
2193 }
2194 }
2195
2196 return 0;
2197 }
2198
2199 #endif
2200
2201 /* End of parse.c */