projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Tidying: coverity issues
[exim.git] / src / src / parse.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for parsing addresses */
9
10
11 #include "exim.h"
12
13
14 static uschar *last_comment_position;
15
16
17
18 /* In stand-alone mode, provide a replacement for deliver_make_addr()
19 and rewrite_address[_qualify]() so as to avoid having to drag in too much
20 redundant apparatus. */
21
22 #ifdef STAND_ALONE
23
24 address_item *deliver_make_addr(uschar *address, BOOL copy)
25 {
26 address_item *addr = store_get(sizeof(address_item));
27 addr->next = NULL;
28 addr->parent = NULL;
29 addr->address = address;
30 return addr;
31 }
32
33 uschar *rewrite_address(uschar *recipient, BOOL dummy1, BOOL dummy2, rewrite_rule
34 *dummy3, int dummy4)
35 {
36 return recipient;
37 }
38
39 uschar *rewrite_address_qualify(uschar *recipient, BOOL dummy1)
40 {
41 return recipient;
42 }
43
44 #endif
45
46
47
48
49 /*************************************************
50 * Find the end of an address *
51 *************************************************/
52
53 /* Scan over a string looking for the termination of an address at a comma,
54 or end of the string. It's the source-routed addresses which cause much pain
55 here. Although Exim ignores source routes, it must recognize such addresses, so
56 we cannot get rid of this logic.
57
58 Argument:
59 s pointer to the start of an address
60 nl_ends if TRUE, '\n' terminates an address
61
62 Returns: pointer past the end of the address
63 (i.e. points to null or comma)
64 */
65
66 uschar *
67 parse_find_address_end(uschar *s, BOOL nl_ends)
68 {
69 BOOL source_routing = *s == '@';
70 int no_term = source_routing? 1 : 0;
71
72 while (*s != 0 && (*s != ',' || no_term > 0) && (*s != '\n' || !nl_ends))
73 {
74 /* Skip single quoted characters. Strictly these should not occur outside
75 quoted strings in RFC 822 addresses, but they can in RFC 821 addresses. Pity
76 about the lack of consistency, isn't it? */
77
78 if (*s == '\\' && s[1] != 0) s += 2;
79
80 /* Skip quoted items that are not inside brackets. Note that
81 quoted pairs are allowed inside quoted strings. */
82
83 else if (*s == '\"')
84 {
85 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
86 {
87 if (*s == '\\' && s[1] != 0) s++;
88 else if (*s == '\"') { s++; break; }
89 }
90 }
91
92 /* Skip comments, which may include nested brackets, but quotes
93 are not recognized inside comments, though quoted pairs are. */
94
95 else if (*s == '(')
96 {
97 int level = 1;
98 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
99 {
100 if (*s == '\\' && s[1] != 0) s++;
101 else if (*s == '(') level++;
102 else if (*s == ')' && --level <= 0) { s++; break; }
103 }
104 }
105
106 /* Non-special character; just advance. Passing the colon in a source
107 routed address means that any subsequent comma or colon may terminate unless
108 inside angle brackets. */
109
110 else
111 {
112 if (*s == '<')
113 {
114 source_routing = s[1] == '@';
115 no_term = source_routing? 2 : 1;
116 }
117 else if (*s == '>') no_term--;
118 else if (source_routing && *s == ':') no_term--;
119 s++;
120 }
121 }
122
123 return s;
124 }
125
126
127
128 /*************************************************
129 * Find last @ in an address *
130 *************************************************/
131
132 /* This function is used when we have something that may not qualified. If we
133 know it's qualified, searching for the rightmost '@' is sufficient. Here we
134 have to be a bit more clever than just a plain search, in order to handle
135 unqualified local parts like "thing@thong" correctly. Since quotes may not
136 legally be part of a domain name, we can give up on hitting the first quote
137 when searching from the right. Now that the parsing also permits the RFC 821
138 form of address, where quoted-pairs are allowed in unquoted local parts, we
139 must take care to handle that too.
140
141 Argument: pointer to an address, possibly unqualified
142 Returns: pointer to the last @ in an address, or NULL if none
143 */
144
145 uschar *
146 parse_find_at(uschar *s)
147 {
148 uschar *t = s + Ustrlen(s);
149 while (--t >= s)
150 {
151 if (*t == '@')
152 {
153 int backslash_count = 0;
154 uschar *tt = t - 1;
155 while (tt > s && *tt-- == '\\') backslash_count++;
156 if ((backslash_count & 1) == 0) return t;
157 }
158 else if (*t == '\"') return NULL;
159 }
160 return NULL;
161 }
162
163
164
165
166 /***************************************************************************
167 * In all the functions below that read a particular object type from *
168 * the input, return the new value of the pointer s (the first argument), *
169 * and put the object into the store pointed to by t (the second argument), *
170 * adding a terminating zero. If no object is found, t will point to zero *
171 * on return. *
172 ***************************************************************************/
173
174
175 /*************************************************
176 * Skip white space and comment *
177 *************************************************/
178
179 /* Algorithm:
180 (1) Skip spaces.
181 (2) If uschar not '(', return.
182 (3) Skip till matching ')', not counting any characters
183 escaped with '\'.
184 (4) Move past ')' and goto (1).
185
186 The start of the last potential comment position is remembered to
187 make it possible to ignore comments at the end of compound items.
188
189 Argument: current character pointer
190 Regurns: new character pointer
191 */
192
193 static uschar *
194 skip_comment(uschar *s)
195 {
196 last_comment_position = s;
197 while (*s)
198 {
199 int c, level;
200 while (isspace(*s)) s++;
201 if (*s != '(') break;
202 level = 1;
203 while((c = *(++s)) != 0)
204 {
205 if (c == '(') level++;
206 else if (c == ')') { if (--level <= 0) { s++; break; } }
207 else if (c == '\\' && s[1] != 0) s++;
208 }
209 }
210 return s;
211 }
212
213
214
215 /*************************************************
216 * Read a domain *
217 *************************************************/
218
219 /* A domain is a sequence of subdomains, separated by dots. See comments below
220 for detailed syntax of the subdomains.
221
222 If allow_domain_literals is TRUE, a "domain" may also be an IP address enclosed
223 in []. Make sure the output is set to the null string if there is a syntax
224 error as well as if there is no domain at all.
225
226 Arguments:
227 s current character pointer
228 t where to put the domain
229 errorptr put error message here on failure (*t will be 0 on exit)
230
231 Returns: new character pointer
232 */
233
234 static uschar *
235 read_domain(uschar *s, uschar *t, uschar **errorptr)
236 {
237 uschar *tt = t;
238 s = skip_comment(s);
239
240 /* Handle domain literals if permitted. An RFC 822 domain literal may contain
241 any character except [ ] \, including linear white space, and may contain
242 quoted characters. However, RFC 821 restricts literals to being dot-separated
243 3-digit numbers, and we make the obvious extension for IPv6. Go for a sequence
244 of digits, dots, hex digits, and colons here; later this will be checked for
245 being a syntactically valid IP address if it ever gets to a router.
246
247 Allow both the formal IPv6 form, with IPV6: at the start, and the informal form
248 without it, and accept IPV4: as well, 'cause someone will use it sooner or
249 later. */
250
251 if (*s == '[')
252 {
253 *t++ = *s++;
254
255 if (strncmpic(s, US"IPv6:", 5) == 0 || strncmpic(s, US"IPv4:", 5) == 0)
256 {
257 memcpy(t, s, 5);
258 t += 5;
259 s += 5;
260 }
261 while (*s == '.' || *s == ':' || isxdigit(*s)) *t++ = *s++;
262
263 if (*s == ']') *t++ = *s++; else
264 {
265 *errorptr = US"malformed domain literal";
266 *tt = 0;
267 }
268
269 if (!allow_domain_literals)
270 {
271 *errorptr = US"domain literals not allowed";
272 *tt = 0;
273 }
274 *t = 0;
275 return skip_comment(s);
276 }
277
278 /* Handle a proper domain, which is a sequence of dot-separated atoms. Remove
279 trailing dots if strip_trailing_dot is set. A subdomain is an atom.
280
281 An atom is a sequence of any characters except specials, space, and controls.
282 The specials are ( ) < > @ , ; : \ " . [ and ]. This is the rule for RFC 822
283 and its successor (RFC 2822). However, RFC 821 and its successor (RFC 2821) is
284 tighter, allowing only letters, digits, and hyphens, not starting with a
285 hyphen.
286
287 There used to be a global flag that got set when checking addresses that came
288 in over SMTP and which should therefore should be checked according to the
289 stricter rule. However, it seems silly to make the distinction, because I don't
290 suppose anybody ever uses local domains that are 822-compliant and not
291 821-compliant. Furthermore, Exim now has additional data on the spool file line
292 after an address (after "one_time" processing), and it makes use of a #
293 character to delimit it. When I wrote that code, I forgot about this 822-domain
294 stuff, and assumed # could never appear in a domain.
295
296 So the old code is now cut out for Release 4.11 onwards, on 09-Aug-02. In a few
297 years, when we are sure this isn't actually causing trouble, throw it away.
298
299 March 2003: the story continues: There is a camp that is arguing for the use of
300 UTF-8 in domain names as the way to internationalization, and other MTAs
301 support this. Therefore, we now have a flag that permits the use of characters
302 with values greater than 127, encoded in UTF-8, in subdomains, so that Exim can
303 be used experimentally in this way. */
304
305 for (;;)
306 {
307 uschar *tsave = t;
308
309 /*********************
310 if (rfc821_domains)
311 {
312 if (*s != '-') while (isalnum(*s) || *s == '-') *t++ = *s++;
313 }
314 else
315 while (!mac_iscntrl_or_special(*s)) *t++ = *s++;
316 *********************/
317
318 if (*s != '-')
319 {
320 /* Only letters, digits, and hyphens */
321
322 if (!allow_utf8_domains)
323 {
324 while (isalnum(*s) || *s == '-') *t++ = *s++;
325 }
326
327 /* Permit legal UTF-8 characters to be included */
328
329 else for(;;)
330 {
331 int i, d;
332 if (isalnum(*s) || *s == '-') /* legal ascii characters */
333 {
334 *t++ = *s++;
335 continue;
336 }
337 if ((*s & 0xc0) != 0xc0) break; /* not start of UTF-8 character */
338 d = *s << 2;
339 for (i = 1; i < 6; i++) /* i is the number of additional bytes */
340 {
341 if ((d & 0x80) == 0) break;
342 d <<= 1;
343 }
344 if (i == 6) goto BAD_UTF8; /* invalid UTF-8 */
345 *t++ = *s++; /* leading UTF-8 byte */
346 while (i-- > 0) /* copy and check remainder */
347 {
348 if ((*s & 0xc0) != 0x80)
349 {
350 BAD_UTF8:
351 *errorptr = US"invalid UTF-8 byte sequence";
352 *tt = 0;
353 return s;
354 }
355 *t++ = *s++;
356 }
357 } /* End of loop for UTF-8 character */
358 } /* End of subdomain */
359
360 s = skip_comment(s);
361 *t = 0;
362
363 if (t == tsave) /* empty component */
364 {
365 if (strip_trailing_dot && t > tt && *s != '.') t[-1] = 0; else
366 {
367 *errorptr = US"domain missing or malformed";
368 *tt = 0;
369 }
370 return s;
371 }
372
373 if (*s != '.') break;
374 *t++ = *s++;
375 s = skip_comment(s);
376 }
377
378 return s;
379 }
380
381
382
383 /*************************************************
384 * Read a local-part *
385 *************************************************/
386
387 /* A local-part is a sequence of words, separated by periods. A null word
388 between dots is not strictly allowed but apparently many mailers permit it,
389 so, sigh, better be compatible. Even accept a trailing dot...
390
391 A <word> is either a quoted string, or an <atom>, which is a sequence
392 of any characters except specials, space, and controls. The specials are
393 ( ) < > @ , ; : \ " . [ and ]. In RFC 822, a single quoted character, (a
394 quoted-pair) is not allowed in a word. However, in RFC 821, it is permitted in
395 the local part of an address. Rather than have separate parsing functions for
396 the different cases, take the liberal attitude always. At least one MUA is
397 happy to recognize this case; I don't know how many other programs do.
398
399 Arguments:
400 s current character pointer
401 t where to put the local part
402 error where to point error text
403 allow_null TRUE if an empty local part is not an error
404
405 Returns: new character pointer
406 */
407
408 static uschar *
409 read_local_part(uschar *s, uschar *t, uschar **error, BOOL allow_null)
410 {
411 uschar *tt = t;
412 *error = NULL;
413 for (;;)
414 {
415 int c;
416 uschar *tsave = t;
417 s = skip_comment(s);
418
419 /* Handle a quoted string */
420
421 if (*s == '\"')
422 {
423 *t++ = '\"';
424 while ((c = *(++s)) != 0 && c != '\"')
425 {
426 *t++ = c;
427 if (c == '\\' && s[1] != 0) *t++ = *(++s);
428 }
429 if (c == '\"')
430 {
431 s++;
432 *t++ = '\"';
433 }
434 else
435 {
436 *error = US"unmatched doublequote in local part";
437 return s;
438 }
439 }
440
441 /* Handle an atom, but allow quoted pairs within it. */
442
443 else while (!mac_iscntrl_or_special(*s) || *s == '\\')
444 {
445 c = *t++ = *s++;
446 if (c == '\\' && *s != 0) *t++ = *s++;
447 }
448
449 /* Terminate the word and skip subsequent comment */
450
451 *t = 0;
452 s = skip_comment(s);
453
454 /* If we have read a null component at this point, give an error unless it is
455 terminated by a dot - an extension to RFC 822 - or if it is the first
456 component of the local part and an empty local part is permitted, in which
457 case just return normally. */
458
459 if (t == tsave && *s != '.')
460 {
461 if (t == tt && !allow_null)
462 *error = US"missing or malformed local part";
463 return s;
464 }
465
466 /* Anything other than a dot terminates the local part. Treat multiple dots
467 as a single dot, as this seems to be a common extension. */
468
469 if (*s != '.') break;
470 do { *t++ = *s++; } while (*s == '.');
471 }
472
473 return s;
474 }
475
476
477 /*************************************************
478 * Read route part of route-addr *
479 *************************************************/
480
481 /* The pointer is at the initial "@" on entry. Return it following the
482 terminating colon. Exim no longer supports the use of source routes, but it is
483 required to accept the syntax.
484
485 Arguments:
486 s current character pointer
487 t where to put the route
488 errorptr where to put an error message
489
490 Returns: new character pointer
491 */
492
493 static uschar *
494 read_route(uschar *s, uschar *t, uschar **errorptr)
495 {
496 BOOL commas = FALSE;
497 *errorptr = NULL;
498
499 while (*s == '@')
500 {
501 *t++ = '@';
502 s = read_domain(s+1, t, errorptr);
503 if (*t == 0) return s;
504 t += Ustrlen((const uschar *)t);
505 if (*s != ',') break;
506 *t++ = *s++;
507 commas = TRUE;
508 s = skip_comment(s);
509 }
510
511 if (*s == ':') *t++ = *s++;
512
513 /* If there is no colon, and there were no commas, the most likely error
514 is in fact a missing local part in the address rather than a missing colon
515 after the route. */
516
517 else *errorptr = commas?
518 US"colon expected after route list" :
519 US"no local part";
520
521 /* Terminate the route and return */
522
523 *t = 0;
524 return skip_comment(s);
525 }
526
527
528
529 /*************************************************
530 * Read addr-spec *
531 *************************************************/
532
533 /* Addr-spec is local-part@domain. We make the domain optional -
534 the expected terminator for the whole thing is passed to check this.
535 This function is called only when we know we have a route-addr.
536
537 Arguments:
538 s current character pointer
539 t where to put the addr-spec
540 term expected terminator (0 or >)
541 errorptr where to put an error message
542 domainptr set to point to the start of the domain
543
544 Returns: new character pointer
545 */
546
547 static uschar *
548 read_addr_spec(uschar *s, uschar *t, int term, uschar **errorptr,
549 uschar **domainptr)
550 {
551 s = read_local_part(s, t, errorptr, FALSE);
552 if (*errorptr == NULL)
553 if (*s != term)
554 if (*s != '@')
555 *errorptr = string_sprintf("\"@\" or \".\" expected after \"%s\"", t);
556 else
557 {
558 t += Ustrlen((const uschar *)t);
559 *t++ = *s++;
560 *domainptr = t;
561 s = read_domain(s, t, errorptr);
562 }
563 return s;
564 }
565
566
567
568 /*************************************************
569 * Extract operative address *
570 *************************************************/
571
572 /* This function extracts an operative address from a full RFC822 mailbox and
573 returns it in a piece of dynamic store. We take the easy way and get a piece
574 of store the same size as the input, and then copy into it whatever is
575 necessary. If we cannot find a valid address (syntax error), return NULL, and
576 point the error pointer to the reason. The arguments "start" and "end" are used
577 to return the offsets of the first and one past the last characters in the
578 original mailbox of the address that has been extracted, to aid in re-writing.
579 The argument "domain" is set to point to the first character after "@" in the
580 final part of the returned address, or zero if there is no @.
581
582 Exim no longer supports the use of source routed addresses (those of the form
583 @domain,...:route_addr). It recognizes the syntax, but collapses such addresses
584 down to their final components. Formerly, collapse_source_routes had to be set
585 to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
586 of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
587 a lot of code elsewhere in Exim much simpler.
588
589 There are some special fudges here for handling RFC 822 group address notation
590 which may appear in certain headers. If the flag parse_allow_group is set
591 TRUE and parse_found_group is FALSE when this function is called, an address
592 which is the start of a group (i.e. preceded by a phrase and a colon) is
593 recognized; the phrase is ignored and the flag parse_found_group is set. If
594 this flag is TRUE at the end of an address, and if an extraneous semicolon is
595 found, it is ignored and the flag is cleared.
596
597 This logic is used only when scanning through addresses in headers, either to
598 fulfil the -t option, or for rewriting, or for checking header syntax. Because
599 the group "state" has to be remembered between multiple calls of this function,
600 the variables parse_{allow,found}_group are global. It is important to ensure
601 that they are reset to FALSE at the end of scanning a header's list of
602 addresses.
603
604 Arguments:
605 mailbox points to the RFC822 mailbox
606 errorptr where to point an error message
607 start set to start offset in mailbox
608 end set to end offset in mailbox
609 domain set to domain offset in result, or 0 if no domain present
610 allow_null allow <> if TRUE
611
612 Returns: points to the extracted address, or NULL on error
613 */
614
615 #define FAILED(s) { *errorptr = s; goto PARSE_FAILED; }
616
617 uschar *
618 parse_extract_address(uschar *mailbox, uschar **errorptr, int *start, int *end,
619 int *domain, BOOL allow_null)
620 {
621 uschar *yield = store_get(Ustrlen(mailbox) + 1);
622 uschar *startptr, *endptr;
623 uschar *s = (uschar *)mailbox;
624 uschar *t = (uschar *)yield;
625
626 *domain = 0;
627
628 /* At the start of the string we expect either an addr-spec or a phrase
629 preceding a <route-addr>. If groups are allowed, we might also find a phrase
630 preceding a colon and an address. If we find an initial word followed by
631 a dot, strict interpretation of the RFC would cause it to be taken
632 as the start of an addr-spec. However, many mailers break the rules
633 and use addresses of the form "a.n.other <ano@somewhere>" and so we
634 allow this case. */
635
636 RESTART: /* Come back here after passing a group name */
637
638 s = skip_comment(s);
639 startptr = s; /* In case addr-spec */
640 s = read_local_part(s, t, errorptr, TRUE); /* Dot separated words */
641 if (*errorptr != NULL) goto PARSE_FAILED;
642
643 /* If the terminator is neither < nor @ then the format of the address
644 must either be a bare local-part (we are now at the end), or a phrase
645 followed by a route-addr (more words must follow). */
646
647 if (*s != '@' && *s != '<')
648 {
649 if (*s == 0 || *s == ';')
650 {
651 if (*t == 0) FAILED(US"empty address");
652 endptr = last_comment_position;
653 goto PARSE_SUCCEEDED; /* Bare local part */
654 }
655
656 /* Expect phrase route-addr, or phrase : if groups permitted, but allow
657 dots in the phrase; complete the loop only when '<' or ':' is encountered -
658 end of string will produce a null local_part and therefore fail. We don't
659 need to keep updating t, as the phrase isn't to be kept. */
660
661 while (*s != '<' && (!parse_allow_group || *s != ':'))
662 {
663 s = read_local_part(s, t, errorptr, FALSE);
664 if (*errorptr != NULL)
665 {
666 *errorptr = string_sprintf("%s (expected word or \"<\")", *errorptr);
667 goto PARSE_FAILED;
668 }
669 }
670
671 if (*s == ':')
672 {
673 parse_found_group = TRUE;
674 parse_allow_group = FALSE;
675 s++;
676 goto RESTART;
677 }
678
679 /* Assert *s == '<' */
680 }
681
682 /* At this point the next character is either '@' or '<'. If it is '@', only a
683 single local-part has previously been read. An angle bracket signifies the
684 start of an <addr-spec>. Throw away anything we have saved so far before
685 processing it. Note that this is "if" rather than "else if" because it's also
686 used after reading a preceding phrase.
687
688 There are a lot of broken sendmails out there that put additional pairs of <>
689 round <route-addr>s. If strip_excess_angle_brackets is set, allow any number of
690 them, as long as they match. */
691
692 if (*s == '<')
693 {
694 uschar *domainptr = yield;
695 BOOL source_routed = FALSE;
696 int bracket_count = 1;
697
698 s++;
699 if (strip_excess_angle_brackets)
700 while (*s == '<') { bracket_count++; s++; }
701
702 t = yield;
703 startptr = s;
704 s = skip_comment(s);
705
706 /* Read an optional series of routes, each of which is a domain. They
707 are separated by commas and terminated by a colon. However, we totally ignore
708 such routes (RFC 1123 says we MAY, and the revision of RFC 821 says we
709 SHOULD). */
710
711 if (*s == '@')
712 {
713 s = read_route(s, t, errorptr);
714 if (*errorptr != NULL) goto PARSE_FAILED;
715 *t = 0; /* Ensure route is ignored - probably overkill */
716 source_routed = TRUE;
717 }
718
719 /* Now an addr-spec, terminated by '>'. If there is no preceding route,
720 we must allow an empty addr-spec if allow_null is TRUE, to permit the
721 address "<>" in some circumstances. A source-routed address MUST have
722 a domain in the final part. */
723
724 if (allow_null && !source_routed && *s == '>')
725 {
726 *t = 0;
727 *errorptr = NULL;
728 }
729 else
730 {
731 s = read_addr_spec(s, t, '>', errorptr, &domainptr);
732 if (*errorptr != NULL) goto PARSE_FAILED;
733 *domain = domainptr - yield;
734 if (source_routed && *domain == 0)
735 FAILED(US"domain missing in source-routed address");
736 }
737
738 endptr = s;
739 if (*errorptr != NULL) goto PARSE_FAILED;
740 while (bracket_count-- > 0) if (*s++ != '>')
741 {
742 *errorptr = (s[-1] == 0)? US"'>' missing at end of address" :
743 string_sprintf("malformed address: %.32s may not follow %.*s",
744 s-1, s - (uschar *)mailbox - 1, mailbox);
745 goto PARSE_FAILED;
746 }
747
748 s = skip_comment(s);
749 }
750
751 /* Hitting '@' after the first local-part means we have definitely got an
752 addr-spec, on a strict reading of the RFC, and the rest of the string
753 should be the domain. However, for flexibility we allow for a route-address
754 not enclosed in <> as well, which is indicated by an empty first local
755 part preceding '@'. The source routing is, however, ignored. */
756
757 else if (*t == 0)
758 {
759 uschar *domainptr = yield;
760 s = read_route(s, t, errorptr);
761 if (*errorptr != NULL) goto PARSE_FAILED;
762 *t = 0; /* Ensure route is ignored - probably overkill */
763 s = read_addr_spec(s, t, 0, errorptr, &domainptr);
764 if (*errorptr != NULL) goto PARSE_FAILED;
765 *domain = domainptr - yield;
766 endptr = last_comment_position;
767 if (*domain == 0) FAILED(US"domain missing in source-routed address");
768 }
769
770 /* This is the strict case of local-part@domain. */
771
772 else
773 {
774 t += Ustrlen((const uschar *)t);
775 *t++ = *s++;
776 *domain = t - yield;
777 s = read_domain(s, t, errorptr);
778 if (*t == 0) goto PARSE_FAILED;
779 endptr = last_comment_position;
780 }
781
782 /* Use goto to get here from the bare local part case. Arrive by falling
783 through for other cases. Endptr may have been moved over whitespace, so
784 move it back past white space if necessary. */
785
786 PARSE_SUCCEEDED:
787 if (*s != 0)
788 {
789 if (parse_found_group && *s == ';')
790 {
791 parse_found_group = FALSE;
792 parse_allow_group = TRUE;
793 }
794 else
795 {
796 *errorptr = string_sprintf("malformed address: %.32s may not follow %.*s",
797 s, s - (uschar *)mailbox, mailbox);
798 goto PARSE_FAILED;
799 }
800 }
801 *start = startptr - (uschar *)mailbox; /* Return offsets */
802 while (isspace(endptr[-1])) endptr--;
803 *end = endptr - (uschar *)mailbox;
804
805 /* Although this code has no limitation on the length of address extracted,
806 other parts of Exim may have limits, and in any case, RFC 2821 limits local
807 parts to 64 and domains to 255, so we do a check here, giving an error if the
808 address is ridiculously long. */
809
810 if (*end - *start > ADDRESS_MAXLENGTH)
811 {
812 *errorptr = string_sprintf("address is ridiculously long: %.64s...", yield);
813 return NULL;
814 }
815
816 return yield;
817
818 /* Use goto (via the macro FAILED) to get to here from a variety of places.
819 We might have an empty address in a group - the caller can choose to ignore
820 this. We must, however, keep the flags correct. */
821
822 PARSE_FAILED:
823 if (parse_found_group && *s == ';')
824 {
825 parse_found_group = FALSE;
826 parse_allow_group = TRUE;
827 }
828 return NULL;
829 }
830
831 #undef FAILED
832
833
834
835 /*************************************************
836 * Quote according to RFC 2047 *
837 *************************************************/
838
839 /* This function is used for quoting text in headers according to RFC 2047.
840 If the only characters that strictly need quoting are spaces, we return the
841 original string, unmodified. If a quoted string is too long for the buffer, it
842 is truncated. (This shouldn't happen: this is normally handling short strings.)
843
844 Hmmph. As always, things get perverted for other uses. This function was
845 originally for the "phrase" part of addresses. Now it is being used for much
846 longer texts in ACLs and via the ${rfc2047: expansion item. This means we have
847 to check for overlong "encoded-word"s and split them. November 2004.
848
849 Arguments:
850 string the string to quote - already checked to contain non-printing
851 chars
852 len the length of the string
853 charset the name of the character set; NULL => iso-8859-1
854 buffer the buffer to put the answer in
855 buffer_size the size of the buffer
856 fold if TRUE, a newline is inserted before the separating space when
857 more than one encoded-word is generated
858
859 Returns: pointer to the original string, if no quoting needed, or
860 pointer to buffer containing the quoted string, or
861 a pointer to "String too long" if the buffer can't even hold
862 the introduction
863 */
864
865 const uschar *
866 parse_quote_2047(const uschar *string, int len, uschar *charset, uschar *buffer,
867 int buffer_size, BOOL fold)
868 {
869 const uschar *s = string;
870 uschar *p, *t;
871 int hlen;
872 BOOL coded = FALSE;
873 BOOL first_byte = FALSE;
874
875 if (charset == NULL) charset = US"iso-8859-1";
876
877 /* We don't expect this to fail! */
878
879 if (!string_format(buffer, buffer_size, "=?%s?Q?", charset))
880 return US"String too long";
881
882 hlen = Ustrlen(buffer);
883 t = buffer + hlen;
884 p = buffer;
885
886 for (; len > 0; len--)
887 {
888 int ch = *s++;
889 if (t > buffer + buffer_size - hlen - 8) break;
890
891 if ((t - p > 67) && !first_byte)
892 {
893 *t++ = '?';
894 *t++ = '=';
895 if (fold) *t++ = '\n';
896 *t++ = ' ';
897 p = t;
898 Ustrncpy(p, buffer, hlen);
899 t += hlen;
900 }
901
902 if (ch < 33 || ch > 126 ||
903 Ustrchr("?=()<>@,;:\\\".[]_", ch) != NULL)
904 {
905 if (ch == ' ')
906 {
907 *t++ = '_';
908 first_byte = FALSE;
909 }
910 else
911 {
912 sprintf(CS t, "=%02X", ch);
913 while (*t != 0) t++;
914 coded = TRUE;
915 first_byte = !first_byte;
916 }
917 }
918 else { *t++ = ch; first_byte = FALSE; }
919 }
920
921 *t++ = '?';
922 *t++ = '=';
923 *t = 0;
924
925 return coded? buffer : string;
926 }
927
928
929
930
931 /*************************************************
932 * Fix up an RFC 822 "phrase" *
933 *************************************************/
934
935 /* This function is called to repair any syntactic defects in the "phrase" part
936 of an RFC822 address. In particular, it is applied to the user's name as read
937 from the passwd file when accepting a local message, and to the data from the
938 -F option.
939
940 If the string contains existing quoted strings or comments containing
941 freestanding quotes, then we just quote those bits that need quoting -
942 otherwise it would get awfully messy and probably not look good. If not, we
943 quote the whole thing if necessary. Thus
944
945 John Q. Smith => "John Q. Smith"
946 John "Jack" Smith => John "Jack" Smith
947 John "Jack" Q. Smith => John "Jack" "Q." Smith
948 John (Jack) Q. Smith => "John (Jack) Q. Smith"
949 John ("Jack") Q. Smith => John ("Jack") "Q." Smith
950 but
951 John (\"Jack\") Q. Smith => "John (\"Jack\") Q. Smith"
952
953 Sheesh! This is tedious code. It is a great pity that the syntax of RFC822 is
954 the way it is...
955
956 August 2000: Additional code added:
957
958 Previously, non-printing characters were turned into question marks, which do
959 not need to be quoted.
960
961 Now, a different tactic is used if there are any non-printing ASCII
962 characters. The encoding method from RFC 2047 is used, assuming iso-8859-1 as
963 the character set.
964
965 We *could* use this for all cases, getting rid of the messy original code,
966 but leave it for now. It would complicate simple cases like "John Q. Smith".
967
968 The result is passed back in the buffer; it is usually going to be added to
969 some other string. In order to be sure there is going to be no overflow,
970 restrict the length of the input to 1/4 of the buffer size - this allows for
971 every single character to be quoted or encoded without overflowing, and that
972 wouldn't happen because of amalgamation. If the phrase is too long, return a
973 fixed string.
974
975 Arguments:
976 phrase an RFC822 phrase
977 len the length of the phrase
978 buffer a buffer to put the result in
979 buffer_size the size of the buffer
980
981 Returns: the fixed RFC822 phrase
982 */
983
984 const uschar *
985 parse_fix_phrase(const uschar *phrase, int len, uschar *buffer, int buffer_size)
986 {
987 int ch, i;
988 BOOL quoted = FALSE;
989 const uschar *s, *end;
990 uschar *t, *yield;
991
992 while (len > 0 && isspace(*phrase)) { phrase++; len--; }
993 if (len > buffer_size/4) return US"Name too long";
994
995 /* See if there are any non-printing characters, and if so, use the RFC 2047
996 encoding for the whole thing. */
997
998 for (i = 0, s = phrase; i < len; i++, s++)
999 if ((*s < 32 && *s != '\t') || *s > 126) break;
1000
1001 if (i < len) return parse_quote_2047(phrase, len, headers_charset, buffer,
1002 buffer_size, FALSE);
1003
1004 /* No non-printers; use the RFC 822 quoting rules */
1005
1006 s = phrase;
1007 end = s + len;
1008 yield = t = buffer + 1;
1009
1010 while (s < end)
1011 {
1012 ch = *s++;
1013
1014 /* Copy over quoted strings, remembering we encountered one */
1015
1016 if (ch == '\"')
1017 {
1018 *t++ = '\"';
1019 while (s < end && (ch = *s++) != '\"')
1020 {
1021 *t++ = ch;
1022 if (ch == '\\' && s < end) *t++ = *s++;
1023 }
1024 *t++ = '\"';
1025 if (s >= end) break;
1026 quoted = TRUE;
1027 }
1028
1029 /* Copy over comments, noting if they contain freestanding quote
1030 characters */
1031
1032 else if (ch == '(')
1033 {
1034 int level = 1;
1035 *t++ = '(';
1036 while (s < end)
1037 {
1038 ch = *s++;
1039 *t++ = ch;
1040 if (ch == '(') level++;
1041 else if (ch == ')') { if (--level <= 0) break; }
1042 else if (ch == '\\' && s < end) *t++ = *s++ & 127;
1043 else if (ch == '\"') quoted = TRUE;
1044 }
1045 if (ch == 0)
1046 {
1047 while (level--) *t++ = ')';
1048 break;
1049 }
1050 }
1051
1052 /* Handle special characters that need to be quoted */
1053
1054 else if (Ustrchr(")<>@,;:\\.[]", ch) != NULL)
1055 {
1056 /* If hit previous quotes just make one quoted "word" */
1057
1058 if (quoted)
1059 {
1060 uschar *tt = t++;
1061 while (*(--tt) != ' ' && *tt != '\"' && *tt != ')') tt[1] = *tt;
1062 tt[1] = '\"';
1063 *t++ = ch;
1064 while (s < end)
1065 {
1066 ch = *s++;
1067 if (ch == ' ' || ch == '\"') { s--; break; } else *t++ = ch;
1068 }
1069 *t++ = '\"';
1070 }
1071
1072 /* Else quote the whole string so far, and the rest up to any following
1073 quotes. We must treat anything following a backslash as a literal. */
1074
1075 else
1076 {
1077 BOOL escaped = (ch == '\\');
1078 *(--yield) = '\"';
1079 *t++ = ch;
1080
1081 /* Now look for the end or a quote */
1082
1083 while (s < end)
1084 {
1085 ch = *s++;
1086
1087 /* Handle escaped pairs */
1088
1089 if (escaped)
1090 {
1091 *t++ = ch;
1092 escaped = FALSE;
1093 }
1094
1095 else if (ch == '\\')
1096 {
1097 *t++ = ch;
1098 escaped = TRUE;
1099 }
1100
1101 /* If hit subsequent quotes, insert our quote before any trailing
1102 spaces and back up to re-handle the quote in the outer loop. */
1103
1104 else if (ch == '\"')
1105 {
1106 int count = 0;
1107 while (t[-1] == ' ') { t--; count++; }
1108 *t++ = '\"';
1109 while (count-- > 0) *t++ = ' ';
1110 s--;
1111 break;
1112 }
1113
1114 /* If hit a subsequent comment, check it for unescaped quotes,
1115 and if so, end our quote before it. */
1116
1117 else if (ch == '(')
1118 {
1119 const uschar *ss = s; /* uschar after '(' */
1120 int level = 1;
1121 while(ss < end)
1122 {
1123 ch = *ss++;
1124 if (ch == '(') level++;
1125 else if (ch == ')') { if (--level <= 0) break; }
1126 else if (ch == '\\' && ss+1 < end) ss++;
1127 else if (ch == '\"') { quoted = TRUE; break; }
1128 }
1129
1130 /* Comment contains unescaped quotes; end our quote before
1131 the start of the comment. */
1132
1133 if (quoted)
1134 {
1135 int count = 0;
1136 while (t[-1] == ' ') { t--; count++; }
1137 *t++ = '\"';
1138 while (count-- > 0) *t++ = ' ';
1139 break;
1140 }
1141
1142 /* Comment does not contain unescaped quotes; include it in
1143 our quote. */
1144
1145 else
1146 {
1147 if (ss >= end) ss--;
1148 *t++ = '(';
1149 Ustrncpy(t, s, ss-s);
1150 t += ss-s;
1151 s = ss;
1152 }
1153 }
1154
1155 /* Not a comment or quote; include this character in our quotes. */
1156
1157 else *t++ = ch;
1158 }
1159 }
1160
1161 /* Add a final quote if we hit the end of the string. */
1162
1163 if (s >= end) *t++ = '\"';
1164 }
1165
1166 /* Non-special character; just copy it over */
1167
1168 else *t++ = ch;
1169 }
1170
1171 *t = 0;
1172 return yield;
1173 }
1174
1175
1176 /*************************************************
1177 * Extract addresses from a list *
1178 *************************************************/
1179
1180 /* This function is called by the redirect router to scan a string containing a
1181 list of addresses separated by commas (with optional white space) or by
1182 newlines, and to generate a chain of address items from them. In other words,
1183 to unpick data from an alias or .forward file.
1184
1185 The SunOS5 documentation for alias files is not very clear on the syntax; it
1186 does not say that either a comma or a newline can be used for separation.
1187 However, that is the way Smail does it, so we follow suit.
1188
1189 If a # character is encountered in a white space position, then characters from
1190 there to the next newline are skipped.
1191
1192 If an unqualified address begins with '\', just skip that character. This gives
1193 compatibility with Sendmail's use of \ to prevent looping. Exim has its own
1194 loop prevention scheme which handles other cases too - see the code in
1195 route_address().
1196
1197 An "address" can be a specification of a file or a pipe; the latter may often
1198 need to be quoted because it may contain spaces, but we don't want to retain
1199 the quotes. Quotes may appear in normal addresses too, and should be retained.
1200 We can distinguish between these cases, because in addresses, quotes are used
1201 only for parts of the address, not the whole thing. Therefore, we remove quotes
1202 from items when they entirely enclose them, but not otherwise.
1203
1204 An "address" can also be of the form :include:pathname to include a list of
1205 addresses contained in the specified file.
1206
1207 Any unqualified addresses are qualified with and rewritten if necessary, via
1208 the rewrite_address() function.
1209
1210 Arguments:
1211 s the list of addresses (typically a complete
1212 .forward file or a list of entries in an alias file)
1213 options option bits for permitting or denying various special cases;
1214 not all bits are relevant here - some are for filter
1215 files; those we use here are:
1216 RDO_DEFER
1217 RDO_FREEZE
1218 RDO_FAIL
1219 RDO_BLACKHOLE
1220 RDO_REWRITE
1221 RDO_INCLUDE
1222 anchor where to hang the chain of newly-created addresses. This
1223 should be initialized to NULL.
1224 error where to return an error text
1225 incoming domain domain of the incoming address; used to qualify unqualified
1226 local parts preceded by \
1227 directory if NULL, no checks are done on :include: files
1228 otherwise, included file names must start with the given
1229 directory
1230 syntax_errors if not NULL, it carries on after syntax errors in addresses,
1231 building up a list of errors as error blocks chained on
1232 here.
1233
1234 Returns: FF_DELIVERED addresses extracted
1235 FF_NOTDELIVERED no addresses extracted, but no errors
1236 FF_BLACKHOLE :blackhole:
1237 FF_DEFER :defer:
1238 FF_FAIL :fail:
1239 FF_INCLUDEFAIL some problem with :include:; *error set
1240 FF_ERROR other problems; *error is set
1241 */
1242
1243 int
1244 parse_forward_list(uschar *s, int options, address_item **anchor,
1245 uschar **error, const uschar *incoming_domain, uschar *directory,
1246 error_block **syntax_errors)
1247 {
1248 int count = 0;
1249
1250 DEBUG(D_route) debug_printf("parse_forward_list: %s\n", s);
1251
1252 for (;;)
1253 {
1254 int len;
1255 int special = 0;
1256 int specopt = 0;
1257 int specbit = 0;
1258 uschar *ss, *nexts;
1259 address_item *addr;
1260 BOOL inquote = FALSE;
1261
1262 for (;;)
1263 {
1264 while (isspace(*s) || *s == ',') s++;
1265 if (*s == '#') { while (*s != 0 && *s != '\n') s++; } else break;
1266 }
1267
1268 /* When we reach the end of the list, we return FF_DELIVERED if any child
1269 addresses have been generated. If nothing has been generated, there are two
1270 possibilities: either the list is really empty, or there were syntax errors
1271 that are being skipped. (If syntax errors are not being skipped, an FF_ERROR
1272 return is generated on hitting a syntax error and we don't get here.) For a
1273 truly empty list we return FF_NOTDELIVERED so that the router can decline.
1274 However, if the list is empty only because syntax errors were skipped, we
1275 return FF_DELIVERED. */
1276
1277 if (*s == 0)
1278 {
1279 return (count > 0 || (syntax_errors != NULL && *syntax_errors != NULL))?
1280 FF_DELIVERED : FF_NOTDELIVERED;
1281
1282 /* This previous code returns FF_ERROR if nothing is generated but a
1283 syntax error has been skipped. I now think it is the wrong approach, but
1284 have left this here just in case, and for the record. */
1285
1286 #ifdef NEVER
1287 if (count > 0) return FF_DELIVERED; /* Something was generated */
1288
1289 if (syntax_errors == NULL || /* Not skipping syntax errors, or */
1290 *syntax_errors == NULL) /* we didn't actually skip any */
1291 return FF_NOTDELIVERED;
1292
1293 *error = string_sprintf("no addresses generated: syntax error in %s: %s",
1294 (*syntax_errors)->text2, (*syntax_errors)->text1);
1295 return FF_ERROR;
1296 #endif
1297
1298 }
1299
1300 /* Find the end of the next address. Quoted strings in addresses may contain
1301 escaped characters; I haven't found a proper specification of .forward or
1302 alias files that mentions the quoting properties, but it seems right to do
1303 the escaping thing in all cases, so use the function that finds the end of an
1304 address. However, don't let a quoted string extend over the end of a line. */
1305
1306 ss = parse_find_address_end(s, TRUE);
1307
1308 /* Remember where we finished, for starting the next one. */
1309
1310 nexts = ss;
1311
1312 /* Remove any trailing spaces; we know there's at least one non-space. */
1313
1314 while (isspace((ss[-1]))) ss--;
1315
1316 /* We now have s->start and ss->end of the next address. Remove quotes
1317 if they completely enclose, remembering the address started with a quote
1318 for handling pipes and files. Another round of removal of leading and
1319 trailing spaces is then required. */
1320
1321 if (*s == '\"' && ss[-1] == '\"')
1322 {
1323 s++;
1324 ss--;
1325 inquote = TRUE;
1326 while (s < ss && isspace(*s)) s++;
1327 while (ss > s && isspace((ss[-1]))) ss--;
1328 }
1329
1330 /* Set up the length of the address. */
1331
1332 len = ss - s;
1333
1334 DEBUG(D_route)
1335 {
1336 int save = s[len];
1337 s[len] = 0;
1338 debug_printf("extract item: %s\n", s);
1339 s[len] = save;
1340 }
1341
1342 /* Handle special addresses if permitted. If the address is :unknown:
1343 ignore it - this is for backward compatibility with old alias files. You
1344 don't need to use it nowadays - just generate an empty string. For :defer:,
1345 :blackhole:, or :fail: we have to set up the error message and give up right
1346 away. */
1347
1348 if (Ustrncmp(s, ":unknown:", len) == 0)
1349 {
1350 s = nexts;
1351 continue;
1352 }
1353
1354 if (Ustrncmp(s, ":defer:", 7) == 0)
1355 { special = FF_DEFER; specopt = RDO_DEFER; } /* specbit is 0 */
1356 else if (Ustrncmp(s, ":blackhole:", 11) == 0)
1357 { special = FF_BLACKHOLE; specopt = specbit = RDO_BLACKHOLE; }
1358 else if (Ustrncmp(s, ":fail:", 6) == 0)
1359 { special = FF_FAIL; specopt = RDO_FAIL; } /* specbit is 0 */
1360
1361 if (special != 0)
1362 {
1363 uschar *ss = Ustrchr(s+1, ':') + 1;
1364 if ((options & specopt) == specbit)
1365 {
1366 *error = string_sprintf("\"%.*s\" is not permitted", len, s);
1367 return FF_ERROR;
1368 }
1369 while (*ss != 0 && isspace(*ss)) ss++;
1370 while (s[len] != 0 && s[len] != '\n') len++;
1371 s[len] = 0;
1372 *error = string_copy(ss);
1373 return special;
1374 }
1375
1376 /* If the address is of the form :include:pathname, read the file, and call
1377 this function recursively to extract the addresses from it. If directory is
1378 NULL, do no checks. Otherwise, insist that the file name starts with the
1379 given directory and is a regular file. */
1380
1381 if (Ustrncmp(s, ":include:", 9) == 0)
1382 {
1383 uschar *filebuf;
1384 uschar filename[256];
1385 uschar *t = s+9;
1386 int flen = len - 9;
1387 int frc;
1388 struct stat statbuf;
1389 address_item *last;
1390 FILE *f;
1391
1392 while (flen > 0 && isspace(*t)) { t++; flen--; }
1393
1394 if (flen <= 0)
1395 {
1396 *error = string_sprintf("file name missing after :include:");
1397 return FF_ERROR;
1398 }
1399
1400 if (flen > 255)
1401 {
1402 *error = string_sprintf("included file name \"%s\" is too long", t);
1403 return FF_ERROR;
1404 }
1405
1406 Ustrncpy(filename, t, flen);
1407 filename[flen] = 0;
1408
1409 /* Insist on absolute path */
1410
1411 if (filename[0]!= '/')
1412 {
1413 *error = string_sprintf("included file \"%s\" is not an absolute path",
1414 filename);
1415 return FF_ERROR;
1416 }
1417
1418 /* Check if include is permitted */
1419
1420 if ((options & RDO_INCLUDE) != 0)
1421 {
1422 *error = US"included files not permitted";
1423 return FF_ERROR;
1424 }
1425
1426 /* Check file name if required */
1427
1428 if (directory)
1429 {
1430 int len = Ustrlen(directory);
1431 uschar *p = filename + len;
1432
1433 if (Ustrncmp(filename, directory, len) != 0 || *p != '/')
1434 {
1435 *error = string_sprintf("included file %s is not in directory %s",
1436 filename, directory);
1437 return FF_ERROR;
1438 }
1439
1440 #ifdef EXIM_HAVE_OPENAT
1441 /* It is necessary to check that every component inside the directory
1442 is NOT a symbolic link, in order to keep the file inside the directory.
1443 This is mighty tedious. We open the directory and openat every component,
1444 with a flag that fails symlinks. */
1445
1446 {
1447 int fd = open(directory, O_RDONLY);
1448 if (fd < 0)
1449 {
1450 *error = string_sprintf("failed to open directory %s", directory);
1451 return FF_ERROR;
1452 }
1453 while (*p)
1454 {
1455 uschar temp;
1456 int fd2;
1457 uschar * q = p;
1458
1459 while (*++p && *p != '/') ;
1460 temp = *p;
1461 *p = '\0';
1462
1463 if ((fd2 = openat(fd, q, O_RDONLY|O_NOFOLLOW)) < 0)
1464 {
1465 *error = string_sprintf("failed to open %s (component of included "
1466 "file); could be symbolic link", filename);
1467 return FF_ERROR;
1468 }
1469 close(fd);
1470 fd = fd2;
1471 *p = temp;
1472 }
1473 f = fdopen(fd, "rb");
1474 }
1475 #else
1476 /* It is necessary to check that every component inside the directory
1477 is NOT a symbolic link, in order to keep the file inside the directory.
1478 This is mighty tedious. It is also not totally foolproof in that it
1479 leaves the possibility of a race attack, but I don't know how to do
1480 any better. */
1481
1482 while (*p)
1483 {
1484 int temp;
1485 while (*++p && *p != '/');
1486 temp = *p;
1487 *p = 0;
1488 if (Ulstat(filename, &statbuf) != 0)
1489 {
1490 *error = string_sprintf("failed to stat %s (component of included "
1491 "file)", filename);
1492 *p = temp;
1493 return FF_ERROR;
1494 }
1495
1496 *p = temp;
1497
1498 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1499 {
1500 *error = string_sprintf("included file %s in the %s directory "
1501 "involves a symbolic link", filename, directory);
1502 return FF_ERROR;
1503 }
1504 }
1505 #endif
1506 }
1507
1508 #ifdef EXIM_HAVE_OPENAT
1509 else
1510 #endif
1511 /* Open and stat the file */
1512 f = Ufopen(filename, "rb");
1513
1514 if (!f)
1515 {
1516 *error = string_open_failed(errno, "included file %s", filename);
1517 return FF_INCLUDEFAIL;
1518 }
1519
1520 if (fstat(fileno(f), &statbuf) != 0)
1521 {
1522 *error = string_sprintf("failed to stat included file %s: %s",
1523 filename, strerror(errno));
1524 (void)fclose(f);
1525 return FF_INCLUDEFAIL;
1526 }
1527
1528 /* If directory was checked, double check that we opened a regular file */
1529
1530 if (directory && (statbuf.st_mode & S_IFMT) != S_IFREG)
1531 {
1532 *error = string_sprintf("included file %s is not a regular file in "
1533 "the %s directory", filename, directory);
1534 return FF_ERROR;
1535 }
1536
1537 /* Get a buffer and read the contents */
1538
1539 if (statbuf.st_size > MAX_INCLUDE_SIZE)
1540 {
1541 *error = string_sprintf("included file %s is too big (max %d)",
1542 filename, MAX_INCLUDE_SIZE);
1543 return FF_ERROR;
1544 }
1545
1546 filebuf = store_get(statbuf.st_size + 1);
1547 if (fread(filebuf, 1, statbuf.st_size, f) != statbuf.st_size)
1548 {
1549 *error = string_sprintf("error while reading included file %s: %s",
1550 filename, strerror(errno));
1551 (void)fclose(f);
1552 return FF_ERROR;
1553 }
1554 filebuf[statbuf.st_size] = 0;
1555 (void)fclose(f);
1556
1557 addr = NULL;
1558 frc = parse_forward_list(filebuf, options, &addr,
1559 error, incoming_domain, directory, syntax_errors);
1560 if (frc != FF_DELIVERED && frc != FF_NOTDELIVERED) return frc;
1561
1562 if (addr)
1563 {
1564 for (last = addr; last->next; last = last->next) count++;
1565 last->next = *anchor;
1566 *anchor = addr;
1567 count++;
1568 }
1569 }
1570
1571 /* Else (not :include:) ensure address is syntactically correct and fully
1572 qualified if not a pipe or a file, removing a leading \ if present on an
1573 unqualified address. For pipes and files we must handle quoting. It's
1574 not quite clear exactly what to do for partially quoted things, but the
1575 common case of having the whole thing in quotes is straightforward. If this
1576 was the case, inquote will have been set TRUE above and the quotes removed.
1577
1578 There is a possible ambiguity over addresses whose local parts start with
1579 a vertical bar or a slash, and the latter do in fact occur, thanks to X.400.
1580 Consider a .forward file that contains the line
1581
1582 /X=xxx/Y=xxx/OU=xxx/@some.gate.way
1583
1584 Is this a file or an X.400 address? Does it make any difference if it is in
1585 quotes? On the grounds that file names of this type are rare, Exim treats
1586 something that parses as an RFC 822 address and has a domain as an address
1587 rather than a file or a pipe. This is also how an address such as the above
1588 would be treated if it came in from outside. */
1589
1590 else
1591 {
1592 int start, end, domain;
1593 uschar *recipient = NULL;
1594 int save = s[len];
1595 s[len] = 0;
1596
1597 /* If it starts with \ and the rest of it parses as a valid mail address
1598 without a domain, carry on with that address, but qualify it with the
1599 incoming domain. Otherwise arrange for the address to fall through,
1600 causing an error message on the re-parse. */
1601
1602 if (*s == '\\')
1603 {
1604 recipient =
1605 parse_extract_address(s+1, error, &start, &end, &domain, FALSE);
1606 if (recipient != NULL)
1607 recipient = (domain != 0)? NULL :
1608 string_sprintf("%s@%s", recipient, incoming_domain);
1609 }
1610
1611 /* Try parsing the item as an address. */
1612
1613 if (recipient == NULL) recipient =
1614 parse_extract_address(s, error, &start, &end, &domain, FALSE);
1615
1616 /* If item starts with / or | and is not a valid address, or there
1617 is no domain, treat it as a file or pipe. If it was a quoted item,
1618 remove the quoting occurrences of \ within it. */
1619
1620 if ((*s == '|' || *s == '/') && (recipient == NULL || domain == 0))
1621 {
1622 uschar *t = store_get(Ustrlen(s) + 1);
1623 uschar *p = t;
1624 uschar *q = s;
1625 while (*q != 0)
1626 {
1627 if (inquote)
1628 {
1629 *p++ = (*q == '\\')? *(++q) : *q;
1630 q++;
1631 }
1632 else *p++ = *q++;
1633 }
1634 *p = 0;
1635 addr = deliver_make_addr(t, TRUE);
1636 setflag(addr, af_pfr); /* indicates pipe/file/reply */
1637 if (*s != '|') setflag(addr, af_file); /* indicates file */
1638 }
1639
1640 /* Item must be an address. Complain if not, else qualify, rewrite and set
1641 up the control block. It appears that people are in the habit of using
1642 empty addresses but with comments as a way of putting comments into
1643 alias and forward files. Therefore, ignore the error "empty address".
1644 Mailing lists might want to tolerate syntax errors; there is therefore
1645 an option to do so. */
1646
1647 else
1648 {
1649 if (recipient == NULL)
1650 {
1651 if (Ustrcmp(*error, "empty address") == 0)
1652 {
1653 *error = NULL;
1654 s[len] = save;
1655 s = nexts;
1656 continue;
1657 }
1658
1659 if (syntax_errors != NULL)
1660 {
1661 error_block *e = store_get(sizeof(error_block));
1662 error_block *last = *syntax_errors;
1663 if (last == NULL) *syntax_errors = e; else
1664 {
1665 while (last->next != NULL) last = last->next;
1666 last->next = e;
1667 }
1668 e->next = NULL;
1669 e->text1 = *error;
1670 e->text2 = string_copy(s);
1671 s[len] = save;
1672 s = nexts;
1673 continue;
1674 }
1675 else
1676 {
1677 *error = string_sprintf("%s in \"%s\"", *error, s);
1678 s[len] = save; /* _after_ using it for *error */
1679 return FF_ERROR;
1680 }
1681 }
1682
1683 /* Address was successfully parsed. Rewrite, and then make an address
1684 block. */
1685
1686 recipient = ((options & RDO_REWRITE) != 0)?
1687 rewrite_address(recipient, TRUE, FALSE, global_rewrite_rules,
1688 rewrite_existflags) :
1689 rewrite_address_qualify(recipient, TRUE);
1690 addr = deliver_make_addr(recipient, TRUE); /* TRUE => copy recipient */
1691 }
1692
1693 /* Restore the final character in the original data, and add to the
1694 output chain. */
1695
1696 s[len] = save;
1697 addr->next = *anchor;
1698 *anchor = addr;
1699 count++;
1700 }
1701
1702 /* Advance pointer for the next address */
1703
1704 s = nexts;
1705 }
1706 }
1707
1708
1709 /*************************************************
1710 * Extract a Message-ID *
1711 *************************************************/
1712
1713 /* This function is used to extract message ids from In-Reply-To: and
1714 References: header lines.
1715
1716 Arguments:
1717 str pointer to the start of the message-id
1718 yield put pointer to the message id (in dynamic memory) here
1719 error put error message here on failure
1720
1721 Returns: points after the processed message-id or NULL on error
1722 */
1723
1724 uschar *
1725 parse_message_id(uschar *str, uschar **yield, uschar **error)
1726 {
1727 uschar *domain = NULL;
1728 uschar *id;
1729
1730 str = skip_comment(str);
1731 if (*str != '<')
1732 {
1733 *error = US"Missing '<' before message-id";
1734 return NULL;
1735 }
1736
1737 /* Getting a block the size of the input string will definitely be sufficient
1738 for the answer, but it may also be very long if we are processing a header
1739 line. Therefore, take care to release unwanted store afterwards. */
1740
1741 id = *yield = store_get(Ustrlen(str) + 1);
1742 *id++ = *str++;
1743
1744 str = read_addr_spec(str, id, '>', error, &domain);
1745
1746 if (*error == NULL)
1747 {
1748 if (*str != '>') *error = US"Missing '>' after message-id";
1749 else if (domain == NULL) *error = US"domain missing in message-id";
1750 }
1751
1752 if (*error != NULL)
1753 {
1754 store_reset(*yield);
1755 return NULL;
1756 }
1757
1758 while (*id != 0) id++;
1759 *id++ = *str++;
1760 *id++ = 0;
1761 store_reset(id);
1762
1763 str = skip_comment(str);
1764 return str;
1765 }
1766
1767
1768 /*************************************************
1769 * Parse a fixed digit number *
1770 *************************************************/
1771
1772 /* Parse a string containing an ASCII encoded fixed digits number
1773
1774 Arguments:
1775 str pointer to the start of the ASCII encoded number
1776 n pointer to the resulting value
1777 digits number of required digits
1778
1779 Returns: points after the processed date or NULL on error
1780 */
1781
1782 static uschar *
1783 parse_number(uschar *str, int *n, int digits)
1784 {
1785 *n=0;
1786 while (digits--)
1787 {
1788 if (*str<'0' || *str>'9') return NULL;
1789 *n=10*(*n)+(*str++-'0');
1790 }
1791 return str;
1792 }
1793
1794
1795 /*************************************************
1796 * Parse a RFC 2822 day of week *
1797 *************************************************/
1798
1799 /* Parse the day of the week from a RFC 2822 date, but do not
1800 decode it, because it is only for humans.
1801
1802 Arguments:
1803 str pointer to the start of the day of the week
1804
1805 Returns: points after the parsed day or NULL on error
1806 */
1807
1808 static uschar *
1809 parse_day_of_week(uschar *str)
1810 {
1811 /*
1812 day-of-week = ([FWS] day-name) / obs-day-of-week
1813
1814 day-name = "Mon" / "Tue" / "Wed" / "Thu" /
1815 "Fri" / "Sat" / "Sun"
1816
1817 obs-day-of-week = [CFWS] day-name [CFWS]
1818 */
1819
1820 static const uschar *day_name[7]={ US"mon", US"tue", US"wed", US"thu", US"fri", US"sat", US"sun" };
1821 int i;
1822 uschar day[4];
1823
1824 str=skip_comment(str);
1825 for (i=0; i<3; ++i)
1826 {
1827 if ((day[i]=tolower(*str))=='\0') return NULL;
1828 ++str;
1829 }
1830 day[3]='\0';
1831 for (i=0; i<7; ++i) if (Ustrcmp(day,day_name[i])==0) break;
1832 if (i==7) return NULL;
1833 str=skip_comment(str);
1834 return str;
1835 }
1836
1837
1838 /*************************************************
1839 * Parse a RFC 2822 date *
1840 *************************************************/
1841
1842 /* Parse the date part of a RFC 2822 date-time, extracting the
1843 day, month and year.
1844
1845 Arguments:
1846 str pointer to the start of the date
1847 d pointer to the resulting day
1848 m pointer to the resulting month
1849 y pointer to the resulting year
1850
1851 Returns: points after the processed date or NULL on error
1852 */
1853
1854 static uschar *
1855 parse_date(uschar *str, int *d, int *m, int *y)
1856 {
1857 /*
1858 date = day month year
1859
1860 year = 4*DIGIT / obs-year
1861
1862 obs-year = [CFWS] 2*DIGIT [CFWS]
1863
1864 month = (FWS month-name FWS) / obs-month
1865
1866 month-name = "Jan" / "Feb" / "Mar" / "Apr" /
1867 "May" / "Jun" / "Jul" / "Aug" /
1868 "Sep" / "Oct" / "Nov" / "Dec"
1869
1870 obs-month = CFWS month-name CFWS
1871
1872 day = ([FWS] 1*2DIGIT) / obs-day
1873
1874 obs-day = [CFWS] 1*2DIGIT [CFWS]
1875 */
1876
1877 uschar *c,*n;
1878 static const uschar *month_name[]={ US"jan", US"feb", US"mar", US"apr", US"may", US"jun", US"jul", US"aug", US"sep", US"oct", US"nov", US"dec" };
1879 int i;
1880 uschar month[4];
1881
1882 str=skip_comment(str);
1883 if ((str=parse_number(str,d,1))==NULL) return NULL;
1884 if (*str>='0' && *str<='9') *d=10*(*d)+(*str++-'0');
1885 c=skip_comment(str);
1886 if (c==str) return NULL;
1887 else str=c;
1888 for (i=0; i<3; ++i) if ((month[i]=tolower(*(str+i)))=='\0') return NULL;
1889 month[3]='\0';
1890 for (i=0; i<12; ++i) if (Ustrcmp(month,month_name[i])==0) break;
1891 if (i==12) return NULL;
1892 str+=3;
1893 *m=i;
1894 c=skip_comment(str);
1895 if (c==str) return NULL;
1896 else str=c;
1897 if ((n=parse_number(str,y,4)))
1898 {
1899 str=n;
1900 if (*y<1900) return NULL;
1901 *y=*y-1900;
1902 }
1903 else if ((n=parse_number(str,y,2)))
1904 {
1905 str=skip_comment(n);
1906 while (*(str-1)==' ' || *(str-1)=='\t') --str; /* match last FWS later */
1907 if (*y<50) *y+=100;
1908 }
1909 else return NULL;
1910 return str;
1911 }
1912
1913
1914 /*************************************************
1915 * Parse a RFC 2822 Time *
1916 *************************************************/
1917
1918 /* Parse the time part of a RFC 2822 date-time, extracting the
1919 hour, minute, second and timezone.
1920
1921 Arguments:
1922 str pointer to the start of the time
1923 h pointer to the resulting hour
1924 m pointer to the resulting minute
1925 s pointer to the resulting second
1926 z pointer to the resulting timezone (offset in seconds)
1927
1928 Returns: points after the processed time or NULL on error
1929 */
1930
1931 static uschar *
1932 parse_time(uschar *str, int *h, int *m, int *s, int *z)
1933 {
1934 /*
1935 time = time-of-day FWS zone
1936
1937 time-of-day = hour ":" minute [ ":" second ]
1938
1939 hour = 2DIGIT / obs-hour
1940
1941 obs-hour = [CFWS] 2DIGIT [CFWS]
1942
1943 minute = 2DIGIT / obs-minute
1944
1945 obs-minute = [CFWS] 2DIGIT [CFWS]
1946
1947 second = 2DIGIT / obs-second
1948
1949 obs-second = [CFWS] 2DIGIT [CFWS]
1950
1951 zone = (( "+" / "-" ) 4DIGIT) / obs-zone
1952
1953 obs-zone = "UT" / "GMT" / ; Universal Time
1954 ; North American UT
1955 ; offsets
1956 "EST" / "EDT" / ; Eastern: - 5/ - 4
1957 "CST" / "CDT" / ; Central: - 6/ - 5
1958 "MST" / "MDT" / ; Mountain: - 7/ - 6
1959 "PST" / "PDT" / ; Pacific: - 8/ - 7
1960
1961 %d65-73 / ; Military zones - "A"
1962 %d75-90 / ; through "I" and "K"
1963 %d97-105 / ; through "Z", both
1964 %d107-122 ; upper and lower case
1965 */
1966
1967 uschar *c;
1968
1969 str=skip_comment(str);
1970 if ((str=parse_number(str,h,2))==NULL) return NULL;
1971 str=skip_comment(str);
1972 if (*str!=':') return NULL;
1973 ++str;
1974 str=skip_comment(str);
1975 if ((str=parse_number(str,m,2))==NULL) return NULL;
1976 c=skip_comment(str);
1977 if (*str==':')
1978 {
1979 ++str;
1980 str=skip_comment(str);
1981 if ((str=parse_number(str,s,2))==NULL) return NULL;
1982 c=skip_comment(str);
1983 }
1984 if (c==str) return NULL;
1985 else str=c;
1986 if (*str=='+' || *str=='-')
1987 {
1988 int neg;
1989
1990 neg=(*str=='-');
1991 ++str;
1992 if ((str=parse_number(str,z,4))==NULL) return NULL;
1993 *z=(*z/100)*3600+(*z%100)*60;
1994 if (neg) *z=-*z;
1995 }
1996 else
1997 {
1998 char zone[5];
1999 struct { const char *name; int off; } zone_name[10]=
2000 { {"gmt",0}, {"ut",0}, {"est",-5}, {"edt",-4}, {"cst",-6}, {"cdt",-5}, {"mst",-7}, {"mdt",-6}, {"pst",-8}, {"pdt",-7}};
2001 int i,j;
2002
2003 for (i=0; i<4; ++i)
2004 {
2005 zone[i]=tolower(*(str+i));
2006 if (zone[i]<'a' || zone[i]>'z') break;
2007 }
2008 zone[i]='\0';
2009 for (j=0; j<10 && strcmp(zone,zone_name[j].name); ++j);
2010 /* Besides zones named in the grammar, RFC 2822 says other alphabetic */
2011 /* time zones should be treated as unknown offsets. */
2012 if (j<10)
2013 {
2014 *z=zone_name[j].off*3600;
2015 str+=i;
2016 }
2017 else if (zone[0]<'a' || zone[1]>'z') return 0;
2018 else
2019 {
2020 while ((*str>='a' && *str<='z') || (*str>='A' && *str<='Z')) ++str;
2021 *z=0;
2022 }
2023 }
2024 return str;
2025 }
2026
2027
2028 /*************************************************
2029 * Parse a RFC 2822 date-time *
2030 *************************************************/
2031
2032 /* Parse a RFC 2822 date-time and return it in seconds since the epoch.
2033
2034 Arguments:
2035 str pointer to the start of the date-time
2036 t pointer to the parsed time
2037
2038 Returns: points after the processed date-time or NULL on error
2039 */
2040
2041 uschar *
2042 parse_date_time(uschar *str, time_t *t)
2043 {
2044 /*
2045 date-time = [ day-of-week "," ] date FWS time [CFWS]
2046 */
2047
2048 struct tm tm;
2049 int zone;
2050 extern char **environ;
2051 char **old_environ;
2052 static char gmt0[]="TZ=GMT0";
2053 static char *gmt_env[]={ gmt0, (char*)0 };
2054 uschar *try;
2055
2056 if ((try=parse_day_of_week(str)))
2057 {
2058 str=try;
2059 if (*str!=',') return 0;
2060 ++str;
2061 }
2062 if ((str=parse_date(str,&tm.tm_mday,&tm.tm_mon,&tm.tm_year))==NULL) return NULL;
2063 if (*str!=' ' && *str!='\t') return NULL;
2064 while (*str==' ' || *str=='\t') ++str;
2065 if ((str=parse_time(str,&tm.tm_hour,&tm.tm_min,&tm.tm_sec,&zone))==NULL) return NULL;
2066 tm.tm_isdst=0;
2067 old_environ=environ;
2068 environ=gmt_env;
2069 *t=mktime(&tm);
2070 environ=old_environ;
2071 if (*t==-1) return NULL;
2072 *t-=zone;
2073 str=skip_comment(str);
2074 return str;
2075 }
2076
2077
2078
2079
2080 /*************************************************
2081 **************************************************
2082 * Stand-alone test program *
2083 **************************************************
2084 *************************************************/
2085
2086 #if defined STAND_ALONE
2087 int main(void)
2088 {
2089 int start, end, domain;
2090 uschar buffer[1024];
2091 uschar outbuff[1024];
2092
2093 big_buffer = store_malloc(big_buffer_size);
2094
2095 /* strip_trailing_dot = TRUE; */
2096 allow_domain_literals = TRUE;
2097
2098 printf("Testing parse_fix_phrase\n");
2099
2100 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2101 {
2102 buffer[Ustrlen(buffer)-1] = 0;
2103 if (buffer[0] == 0) break;
2104 printf("%s\n", CS parse_fix_phrase(buffer, Ustrlen(buffer), outbuff,
2105 sizeof(outbuff)));
2106 }
2107
2108 printf("Testing parse_extract_address without group syntax and without UTF-8\n");
2109
2110 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2111 {
2112 uschar *out;
2113 uschar *errmess;
2114 buffer[Ustrlen(buffer) - 1] = 0;
2115 if (buffer[0] == 0) break;
2116 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2117 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2118 {
2119 uschar extract[1024];
2120 Ustrncpy(extract, buffer+start, end-start);
2121 extract[end-start] = 0;
2122 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2123 }
2124 }
2125
2126 printf("Testing parse_extract_address without group syntax but with UTF-8\n");
2127
2128 allow_utf8_domains = TRUE;
2129 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2130 {
2131 uschar *out;
2132 uschar *errmess;
2133 buffer[Ustrlen(buffer) - 1] = 0;
2134 if (buffer[0] == 0) break;
2135 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2136 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2137 {
2138 uschar extract[1024];
2139 Ustrncpy(extract, buffer+start, end-start);
2140 extract[end-start] = 0;
2141 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2142 }
2143 }
2144 allow_utf8_domains = FALSE;
2145
2146 printf("Testing parse_extract_address with group syntax\n");
2147
2148 parse_allow_group = TRUE;
2149 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2150 {
2151 uschar *out;
2152 uschar *errmess;
2153 uschar *s;
2154 buffer[Ustrlen(buffer) - 1] = 0;
2155 if (buffer[0] == 0) break;
2156 s = buffer;
2157 while (*s != 0)
2158 {
2159 uschar *ss = parse_find_address_end(s, FALSE);
2160 int terminator = *ss;
2161 *ss = 0;
2162 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2163 *ss = terminator;
2164
2165 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2166 {
2167 uschar extract[1024];
2168 Ustrncpy(extract, buffer+start, end-start);
2169 extract[end-start] = 0;
2170 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2171 }
2172
2173 s = ss + (terminator? 1:0);
2174 while (isspace(*s)) s++;
2175 }
2176 }
2177
2178 printf("Testing parse_find_at\n");
2179
2180 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2181 {
2182 uschar *s;
2183 buffer[Ustrlen(buffer)-1] = 0;
2184 if (buffer[0] == 0) break;
2185 s = parse_find_at(buffer);
2186 if (s == NULL) printf("no @ found\n");
2187 else printf("offset = %d\n", s - buffer);
2188 }
2189
2190 printf("Testing parse_extract_addresses\n");
2191
2192 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2193 {
2194 uschar *errmess;
2195 int extracted;
2196 address_item *anchor = NULL;
2197 buffer[Ustrlen(buffer) - 1] = 0;
2198 if (buffer[0] == 0) break;
2199 if ((extracted = parse_forward_list(buffer, -1, &anchor,
2200 &errmess, US"incoming.domain", NULL, NULL)) == FF_DELIVERED)
2201 {
2202 while (anchor != NULL)
2203 {
2204 address_item *addr = anchor;
2205 anchor = anchor->next;
2206 printf("%d %s\n", testflag(addr, af_pfr), addr->address);
2207 }
2208 }
2209 else printf("Failed: %d %s\n", extracted, errmess);
2210 }
2211
2212 printf("Testing parse_message_id\n");
2213
2214 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2215 {
2216 uschar *s, *t, *errmess;
2217 buffer[Ustrlen(buffer) - 1] = 0;
2218 if (buffer[0] == 0) break;
2219 s = buffer;
2220 while (*s != 0)
2221 {
2222 s = parse_message_id(s, &t, &errmess);
2223 if (errmess != NULL)
2224 {
2225 printf("Failed: %s\n", errmess);
2226 break;
2227 }
2228 printf("%s\n", t);
2229 }
2230 }
2231
2232 return 0;
2233 }
2234
2235 #endif
2236
2237 /* End of parse.c */
Unnamed repository; edit this file 'description' to name the repository.