projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
taint enforce: file access backstops
[exim.git] / src / src / parse.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for parsing addresses */
9
10
11 #include "exim.h"
12
13
14 static uschar *last_comment_position;
15
16
17
18 /* In stand-alone mode, provide a replacement for deliver_make_addr()
19 and rewrite_address[_qualify]() so as to avoid having to drag in too much
20 redundant apparatus. */
21
22 #ifdef STAND_ALONE
23
24 address_item *deliver_make_addr(uschar *address, BOOL copy)
25 {
26 address_item *addr = store_get(sizeof(address_item), FALSE);
27 addr->next = NULL;
28 addr->parent = NULL;
29 addr->address = address;
30 return addr;
31 }
32
33 uschar *rewrite_address(uschar *recipient, BOOL dummy1, BOOL dummy2, rewrite_rule
34 *dummy3, int dummy4)
35 {
36 return recipient;
37 }
38
39 uschar *rewrite_address_qualify(uschar *recipient, BOOL dummy1)
40 {
41 return recipient;
42 }
43
44 #endif
45
46
47
48
49 /*************************************************
50 * Find the end of an address *
51 *************************************************/
52
53 /* Scan over a string looking for the termination of an address at a comma,
54 or end of the string. It's the source-routed addresses which cause much pain
55 here. Although Exim ignores source routes, it must recognize such addresses, so
56 we cannot get rid of this logic.
57
58 Argument:
59 s pointer to the start of an address
60 nl_ends if TRUE, '\n' terminates an address
61
62 Returns: pointer past the end of the address
63 (i.e. points to null or comma)
64 */
65
66 uschar *
67 parse_find_address_end(uschar *s, BOOL nl_ends)
68 {
69 BOOL source_routing = *s == '@';
70 int no_term = source_routing? 1 : 0;
71
72 while (*s != 0 && (*s != ',' || no_term > 0) && (*s != '\n' || !nl_ends))
73 {
74 /* Skip single quoted characters. Strictly these should not occur outside
75 quoted strings in RFC 822 addresses, but they can in RFC 821 addresses. Pity
76 about the lack of consistency, isn't it? */
77
78 if (*s == '\\' && s[1] != 0) s += 2;
79
80 /* Skip quoted items that are not inside brackets. Note that
81 quoted pairs are allowed inside quoted strings. */
82
83 else if (*s == '\"')
84 {
85 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
86 {
87 if (*s == '\\' && s[1] != 0) s++;
88 else if (*s == '\"') { s++; break; }
89 }
90 }
91
92 /* Skip comments, which may include nested brackets, but quotes
93 are not recognized inside comments, though quoted pairs are. */
94
95 else if (*s == '(')
96 {
97 int level = 1;
98 while (*(++s) != 0 && (*s != '\n' || !nl_ends))
99 {
100 if (*s == '\\' && s[1] != 0) s++;
101 else if (*s == '(') level++;
102 else if (*s == ')' && --level <= 0) { s++; break; }
103 }
104 }
105
106 /* Non-special character; just advance. Passing the colon in a source
107 routed address means that any subsequent comma or colon may terminate unless
108 inside angle brackets. */
109
110 else
111 {
112 if (*s == '<')
113 {
114 source_routing = s[1] == '@';
115 no_term = source_routing? 2 : 1;
116 }
117 else if (*s == '>') no_term--;
118 else if (source_routing && *s == ':') no_term--;
119 s++;
120 }
121 }
122
123 return s;
124 }
125
126
127
128 /*************************************************
129 * Find last @ in an address *
130 *************************************************/
131
132 /* This function is used when we have something that may not qualified. If we
133 know it's qualified, searching for the rightmost '@' is sufficient. Here we
134 have to be a bit more clever than just a plain search, in order to handle
135 unqualified local parts like "thing@thong" correctly. Since quotes may not
136 legally be part of a domain name, we can give up on hitting the first quote
137 when searching from the right. Now that the parsing also permits the RFC 821
138 form of address, where quoted-pairs are allowed in unquoted local parts, we
139 must take care to handle that too.
140
141 Argument: pointer to an address, possibly unqualified
142 Returns: pointer to the last @ in an address, or NULL if none
143 */
144
145 uschar *
146 parse_find_at(uschar *s)
147 {
148 uschar *t = s + Ustrlen(s);
149 while (--t >= s)
150 {
151 if (*t == '@')
152 {
153 int backslash_count = 0;
154 uschar *tt = t - 1;
155 while (tt > s && *tt-- == '\\') backslash_count++;
156 if ((backslash_count & 1) == 0) return t;
157 }
158 else if (*t == '\"') return NULL;
159 }
160 return NULL;
161 }
162
163
164
165
166 /***************************************************************************
167 * In all the functions below that read a particular object type from *
168 * the input, return the new value of the pointer s (the first argument), *
169 * and put the object into the store pointed to by t (the second argument), *
170 * adding a terminating zero. If no object is found, t will point to zero *
171 * on return. *
172 ***************************************************************************/
173
174
175 /*************************************************
176 * Skip white space and comment *
177 *************************************************/
178
179 /* Algorithm:
180 (1) Skip spaces.
181 (2) If uschar not '(', return.
182 (3) Skip till matching ')', not counting any characters
183 escaped with '\'.
184 (4) Move past ')' and goto (1).
185
186 The start of the last potential comment position is remembered to
187 make it possible to ignore comments at the end of compound items.
188
189 Argument: current character pointer
190 Returns: new character pointer
191 */
192
193 static uschar *
194 skip_comment(uschar *s)
195 {
196 last_comment_position = s;
197 while (*s)
198 {
199 int c, level;
200 while (isspace(*s)) s++;
201 if (*s != '(') break;
202 level = 1;
203 while((c = *(++s)) != 0)
204 {
205 if (c == '(') level++;
206 else if (c == ')') { if (--level <= 0) { s++; break; } }
207 else if (c == '\\' && s[1] != 0) s++;
208 }
209 }
210 return s;
211 }
212
213
214
215 /*************************************************
216 * Read a domain *
217 *************************************************/
218
219 /* A domain is a sequence of subdomains, separated by dots. See comments below
220 for detailed syntax of the subdomains.
221
222 If allow_domain_literals is TRUE, a "domain" may also be an IP address enclosed
223 in []. Make sure the output is set to the null string if there is a syntax
224 error as well as if there is no domain at all.
225
226 Arguments:
227 s current character pointer
228 t where to put the domain
229 errorptr put error message here on failure (*t will be 0 on exit)
230
231 Returns: new character pointer
232 */
233
234 static uschar *
235 read_domain(uschar *s, uschar *t, uschar **errorptr)
236 {
237 uschar *tt = t;
238 s = skip_comment(s);
239
240 /* Handle domain literals if permitted. An RFC 822 domain literal may contain
241 any character except [ ] \, including linear white space, and may contain
242 quoted characters. However, RFC 821 restricts literals to being dot-separated
243 3-digit numbers, and we make the obvious extension for IPv6. Go for a sequence
244 of digits, dots, hex digits, and colons here; later this will be checked for
245 being a syntactically valid IP address if it ever gets to a router.
246
247 Allow both the formal IPv6 form, with IPV6: at the start, and the informal form
248 without it, and accept IPV4: as well, 'cause someone will use it sooner or
249 later. */
250
251 if (*s == '[')
252 {
253 *t++ = *s++;
254
255 if (strncmpic(s, US"IPv6:", 5) == 0 || strncmpic(s, US"IPv4:", 5) == 0)
256 {
257 memcpy(t, s, 5);
258 t += 5;
259 s += 5;
260 }
261 while (*s == '.' || *s == ':' || isxdigit(*s)) *t++ = *s++;
262
263 if (*s == ']') *t++ = *s++; else
264 {
265 *errorptr = US"malformed domain literal";
266 *tt = 0;
267 }
268
269 if (!allow_domain_literals)
270 {
271 *errorptr = US"domain literals not allowed";
272 *tt = 0;
273 }
274 *t = 0;
275 return skip_comment(s);
276 }
277
278 /* Handle a proper domain, which is a sequence of dot-separated atoms. Remove
279 trailing dots if strip_trailing_dot is set. A subdomain is an atom.
280
281 An atom is a sequence of any characters except specials, space, and controls.
282 The specials are ( ) < > @ , ; : \ " . [ and ]. This is the rule for RFC 822
283 and its successor (RFC 2822). However, RFC 821 and its successor (RFC 2821) is
284 tighter, allowing only letters, digits, and hyphens, not starting with a
285 hyphen.
286
287 There used to be a global flag that got set when checking addresses that came
288 in over SMTP and which should therefore should be checked according to the
289 stricter rule. However, it seems silly to make the distinction, because I don't
290 suppose anybody ever uses local domains that are 822-compliant and not
291 821-compliant. Furthermore, Exim now has additional data on the spool file line
292 after an address (after "one_time" processing), and it makes use of a #
293 character to delimit it. When I wrote that code, I forgot about this 822-domain
294 stuff, and assumed # could never appear in a domain.
295
296 So the old code is now cut out for Release 4.11 onwards, on 09-Aug-02. In a few
297 years, when we are sure this isn't actually causing trouble, throw it away.
298
299 March 2003: the story continues: There is a camp that is arguing for the use of
300 UTF-8 in domain names as the way to internationalization, and other MTAs
301 support this. Therefore, we now have a flag that permits the use of characters
302 with values greater than 127, encoded in UTF-8, in subdomains, so that Exim can
303 be used experimentally in this way. */
304
305 for (;;)
306 {
307 uschar *tsave = t;
308
309 /*********************
310 if (rfc821_domains)
311 {
312 if (*s != '-') while (isalnum(*s) || *s == '-') *t++ = *s++;
313 }
314 else
315 while (!mac_iscntrl_or_special(*s)) *t++ = *s++;
316 *********************/
317
318 if (*s != '-')
319 {
320 /* Only letters, digits, and hyphens */
321
322 if (!allow_utf8_domains)
323 {
324 while (isalnum(*s) || *s == '-') *t++ = *s++;
325 }
326
327 /* Permit legal UTF-8 characters to be included */
328
329 else for(;;)
330 {
331 int i, d;
332 if (isalnum(*s) || *s == '-') /* legal ascii characters */
333 {
334 *t++ = *s++;
335 continue;
336 }
337 if ((*s & 0xc0) != 0xc0) break; /* not start of UTF-8 character */
338 d = *s << 2;
339 for (i = 1; i < 6; i++) /* i is the number of additional bytes */
340 {
341 if ((d & 0x80) == 0) break;
342 d <<= 1;
343 }
344 if (i == 6) goto BAD_UTF8; /* invalid UTF-8 */
345 *t++ = *s++; /* leading UTF-8 byte */
346 while (i-- > 0) /* copy and check remainder */
347 {
348 if ((*s & 0xc0) != 0x80)
349 {
350 BAD_UTF8:
351 *errorptr = US"invalid UTF-8 byte sequence";
352 *tt = 0;
353 return s;
354 }
355 *t++ = *s++;
356 }
357 } /* End of loop for UTF-8 character */
358 } /* End of subdomain */
359
360 s = skip_comment(s);
361 *t = 0;
362
363 if (t == tsave) /* empty component */
364 {
365 if (strip_trailing_dot && t > tt && *s != '.') t[-1] = 0; else
366 {
367 *errorptr = US"domain missing or malformed";
368 *tt = 0;
369 }
370 return s;
371 }
372
373 if (*s != '.') break;
374 *t++ = *s++;
375 s = skip_comment(s);
376 }
377
378 return s;
379 }
380
381
382
383 /*************************************************
384 * Read a local-part *
385 *************************************************/
386
387 /* A local-part is a sequence of words, separated by periods. A null word
388 between dots is not strictly allowed but apparently many mailers permit it,
389 so, sigh, better be compatible. Even accept a trailing dot...
390
391 A <word> is either a quoted string, or an <atom>, which is a sequence
392 of any characters except specials, space, and controls. The specials are
393 ( ) < > @ , ; : \ " . [ and ]. In RFC 822, a single quoted character, (a
394 quoted-pair) is not allowed in a word. However, in RFC 821, it is permitted in
395 the local part of an address. Rather than have separate parsing functions for
396 the different cases, take the liberal attitude always. At least one MUA is
397 happy to recognize this case; I don't know how many other programs do.
398
399 Arguments:
400 s current character pointer
401 t where to put the local part
402 error where to point error text
403 allow_null TRUE if an empty local part is not an error
404
405 Returns: new character pointer
406 */
407
408 static uschar *
409 read_local_part(uschar *s, uschar *t, uschar **error, BOOL allow_null)
410 {
411 uschar *tt = t;
412 *error = NULL;
413 for (;;)
414 {
415 int c;
416 uschar *tsave = t;
417 s = skip_comment(s);
418
419 /* Handle a quoted string */
420
421 if (*s == '\"')
422 {
423 *t++ = '\"';
424 while ((c = *++s) && c != '\"')
425 {
426 *t++ = c;
427 if (c == '\\' && s[1]) *t++ = *++s;
428 }
429 if (c == '\"')
430 {
431 s++;
432 *t++ = '\"';
433 }
434 else
435 {
436 *error = US"unmatched doublequote in local part";
437 return s;
438 }
439 }
440
441 /* Handle an atom, but allow quoted pairs within it. */
442
443 else while (!mac_iscntrl_or_special(*s) || *s == '\\')
444 {
445 c = *t++ = *s++;
446 if (c == '\\' && *s) *t++ = *s++;
447 }
448
449 /* Terminate the word and skip subsequent comment */
450
451 *t = 0;
452 s = skip_comment(s);
453
454 /* If we have read a null component at this point, give an error unless it is
455 terminated by a dot - an extension to RFC 822 - or if it is the first
456 component of the local part and an empty local part is permitted, in which
457 case just return normally. */
458
459 if (t == tsave && *s != '.')
460 {
461 if (t == tt && !allow_null)
462 *error = US"missing or malformed local part";
463 return s;
464 }
465
466 /* Anything other than a dot terminates the local part. Treat multiple dots
467 as a single dot, as this seems to be a common extension. */
468
469 if (*s != '.') break;
470 do { *t++ = *s++; } while (*s == '.');
471 }
472
473 return s;
474 }
475
476
477 /*************************************************
478 * Read route part of route-addr *
479 *************************************************/
480
481 /* The pointer is at the initial "@" on entry. Return it following the
482 terminating colon. Exim no longer supports the use of source routes, but it is
483 required to accept the syntax.
484
485 Arguments:
486 s current character pointer
487 t where to put the route
488 errorptr where to put an error message
489
490 Returns: new character pointer
491 */
492
493 static uschar *
494 read_route(uschar *s, uschar *t, uschar **errorptr)
495 {
496 BOOL commas = FALSE;
497 *errorptr = NULL;
498
499 while (*s == '@')
500 {
501 *t++ = '@';
502 s = read_domain(s+1, t, errorptr);
503 if (*t == 0) return s;
504 t += Ustrlen((const uschar *)t);
505 if (*s != ',') break;
506 *t++ = *s++;
507 commas = TRUE;
508 s = skip_comment(s);
509 }
510
511 if (*s == ':') *t++ = *s++;
512
513 /* If there is no colon, and there were no commas, the most likely error
514 is in fact a missing local part in the address rather than a missing colon
515 after the route. */
516
517 else *errorptr = commas?
518 US"colon expected after route list" :
519 US"no local part";
520
521 /* Terminate the route and return */
522
523 *t = 0;
524 return skip_comment(s);
525 }
526
527
528
529 /*************************************************
530 * Read addr-spec *
531 *************************************************/
532
533 /* Addr-spec is local-part@domain. We make the domain optional -
534 the expected terminator for the whole thing is passed to check this.
535 This function is called only when we know we have a route-addr.
536
537 Arguments:
538 s current character pointer
539 t where to put the addr-spec
540 term expected terminator (0 or >)
541 errorptr where to put an error message
542 domainptr set to point to the start of the domain
543
544 Returns: new character pointer
545 */
546
547 static uschar *
548 read_addr_spec(uschar *s, uschar *t, int term, uschar **errorptr,
549 uschar **domainptr)
550 {
551 s = read_local_part(s, t, errorptr, FALSE);
552 if (*errorptr == NULL)
553 if (*s != term)
554 if (*s != '@')
555 *errorptr = string_sprintf("\"@\" or \".\" expected after \"%s\"", t);
556 else
557 {
558 t += Ustrlen((const uschar *)t);
559 *t++ = *s++;
560 *domainptr = t;
561 s = read_domain(s, t, errorptr);
562 }
563 return s;
564 }
565
566
567
568 /*************************************************
569 * Extract operative address *
570 *************************************************/
571
572 /* This function extracts an operative address from a full RFC822 mailbox and
573 returns it in a piece of dynamic store. We take the easy way and get a piece
574 of store the same size as the input, and then copy into it whatever is
575 necessary. If we cannot find a valid address (syntax error), return NULL, and
576 point the error pointer to the reason. The arguments "start" and "end" are used
577 to return the offsets of the first and one past the last characters in the
578 original mailbox of the address that has been extracted, to aid in re-writing.
579 The argument "domain" is set to point to the first character after "@" in the
580 final part of the returned address, or zero if there is no @.
581
582 Exim no longer supports the use of source routed addresses (those of the form
583 @domain,...:route_addr). It recognizes the syntax, but collapses such addresses
584 down to their final components. Formerly, collapse_source_routes had to be set
585 to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
586 of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
587 a lot of code elsewhere in Exim much simpler.
588
589 There are some special fudges here for handling RFC 822 group address notation
590 which may appear in certain headers. If the flag parse_allow_group is set
591 TRUE and parse_found_group is FALSE when this function is called, an address
592 which is the start of a group (i.e. preceded by a phrase and a colon) is
593 recognized; the phrase is ignored and the flag parse_found_group is set. If
594 this flag is TRUE at the end of an address, and if an extraneous semicolon is
595 found, it is ignored and the flag is cleared.
596
597 This logic is used only when scanning through addresses in headers, either to
598 fulfil the -t option, or for rewriting, or for checking header syntax. Because
599 the group "state" has to be remembered between multiple calls of this function,
600 the variables parse_{allow,found}_group are global. It is important to ensure
601 that they are reset to FALSE at the end of scanning a header's list of
602 addresses.
603
604 Arguments:
605 mailbox points to the RFC822 mailbox
606 errorptr where to point an error message
607 start set to start offset in mailbox
608 end set to end offset in mailbox
609 domain set to domain offset in result, or 0 if no domain present
610 allow_null allow <> if TRUE
611
612 Returns: points to the extracted address, or NULL on error
613 */
614
615 #define FAILED(s) { *errorptr = s; goto PARSE_FAILED; }
616
617 uschar *
618 parse_extract_address(uschar *mailbox, uschar **errorptr, int *start, int *end,
619 int *domain, BOOL allow_null)
620 {
621 uschar *yield = store_get(Ustrlen(mailbox) + 1, is_tainted(mailbox));
622 uschar *startptr, *endptr;
623 uschar *s = US mailbox;
624 uschar *t = US yield;
625
626 *domain = 0;
627
628 /* At the start of the string we expect either an addr-spec or a phrase
629 preceding a <route-addr>. If groups are allowed, we might also find a phrase
630 preceding a colon and an address. If we find an initial word followed by
631 a dot, strict interpretation of the RFC would cause it to be taken
632 as the start of an addr-spec. However, many mailers break the rules
633 and use addresses of the form "a.n.other <ano@somewhere>" and so we
634 allow this case. */
635
636 RESTART: /* Come back here after passing a group name */
637
638 s = skip_comment(s);
639 startptr = s; /* In case addr-spec */
640 s = read_local_part(s, t, errorptr, TRUE); /* Dot separated words */
641 if (*errorptr) goto PARSE_FAILED;
642
643 /* If the terminator is neither < nor @ then the format of the address
644 must either be a bare local-part (we are now at the end), or a phrase
645 followed by a route-addr (more words must follow). */
646
647 if (*s != '@' && *s != '<')
648 {
649 if (*s == 0 || *s == ';')
650 {
651 if (*t == 0) FAILED(US"empty address");
652 endptr = last_comment_position;
653 goto PARSE_SUCCEEDED; /* Bare local part */
654 }
655
656 /* Expect phrase route-addr, or phrase : if groups permitted, but allow
657 dots in the phrase; complete the loop only when '<' or ':' is encountered -
658 end of string will produce a null local_part and therefore fail. We don't
659 need to keep updating t, as the phrase isn't to be kept. */
660
661 while (*s != '<' && (!f.parse_allow_group || *s != ':'))
662 {
663 s = read_local_part(s, t, errorptr, FALSE);
664 if (*errorptr)
665 {
666 *errorptr = string_sprintf("%s (expected word or \"<\")", *errorptr);
667 goto PARSE_FAILED;
668 }
669 }
670
671 if (*s == ':')
672 {
673 f.parse_found_group = TRUE;
674 f.parse_allow_group = FALSE;
675 s++;
676 goto RESTART;
677 }
678
679 /* Assert *s == '<' */
680 }
681
682 /* At this point the next character is either '@' or '<'. If it is '@', only a
683 single local-part has previously been read. An angle bracket signifies the
684 start of an <addr-spec>. Throw away anything we have saved so far before
685 processing it. Note that this is "if" rather than "else if" because it's also
686 used after reading a preceding phrase.
687
688 There are a lot of broken sendmails out there that put additional pairs of <>
689 round <route-addr>s. If strip_excess_angle_brackets is set, allow a limited
690 number of them, as long as they match. */
691
692 if (*s == '<')
693 {
694 uschar *domainptr = yield;
695 BOOL source_routed = FALSE;
696 int bracket_count = 1;
697
698 s++;
699 if (strip_excess_angle_brackets) while (*s == '<')
700 {
701 if(bracket_count++ > 5) FAILED(US"angle-brackets nested too deep");
702 s++;
703 }
704
705 t = yield;
706 startptr = s;
707 s = skip_comment(s);
708
709 /* Read an optional series of routes, each of which is a domain. They
710 are separated by commas and terminated by a colon. However, we totally ignore
711 such routes (RFC 1123 says we MAY, and the revision of RFC 821 says we
712 SHOULD). */
713
714 if (*s == '@')
715 {
716 s = read_route(s, t, errorptr);
717 if (*errorptr) goto PARSE_FAILED;
718 *t = 0; /* Ensure route is ignored - probably overkill */
719 source_routed = TRUE;
720 }
721
722 /* Now an addr-spec, terminated by '>'. If there is no preceding route,
723 we must allow an empty addr-spec if allow_null is TRUE, to permit the
724 address "<>" in some circumstances. A source-routed address MUST have
725 a domain in the final part. */
726
727 if (allow_null && !source_routed && *s == '>')
728 {
729 *t = 0;
730 *errorptr = NULL;
731 }
732 else
733 {
734 s = read_addr_spec(s, t, '>', errorptr, &domainptr);
735 if (*errorptr) goto PARSE_FAILED;
736 *domain = domainptr - yield;
737 if (source_routed && *domain == 0)
738 FAILED(US"domain missing in source-routed address");
739 }
740
741 endptr = s;
742 if (*errorptr != NULL) goto PARSE_FAILED;
743 while (bracket_count-- > 0) if (*s++ != '>')
744 {
745 *errorptr = s[-1] == 0
746 ? US"'>' missing at end of address"
747 : string_sprintf("malformed address: %.32s may not follow %.*s",
748 s-1, (int)(s - US mailbox - 1), mailbox);
749 goto PARSE_FAILED;
750 }
751
752 s = skip_comment(s);
753 }
754
755 /* Hitting '@' after the first local-part means we have definitely got an
756 addr-spec, on a strict reading of the RFC, and the rest of the string
757 should be the domain. However, for flexibility we allow for a route-address
758 not enclosed in <> as well, which is indicated by an empty first local
759 part preceding '@'. The source routing is, however, ignored. */
760
761 else if (*t == 0)
762 {
763 uschar *domainptr = yield;
764 s = read_route(s, t, errorptr);
765 if (*errorptr != NULL) goto PARSE_FAILED;
766 *t = 0; /* Ensure route is ignored - probably overkill */
767 s = read_addr_spec(s, t, 0, errorptr, &domainptr);
768 if (*errorptr != NULL) goto PARSE_FAILED;
769 *domain = domainptr - yield;
770 endptr = last_comment_position;
771 if (*domain == 0) FAILED(US"domain missing in source-routed address");
772 }
773
774 /* This is the strict case of local-part@domain. */
775
776 else
777 {
778 t += Ustrlen((const uschar *)t);
779 *t++ = *s++;
780 *domain = t - yield;
781 s = read_domain(s, t, errorptr);
782 if (*t == 0) goto PARSE_FAILED;
783 endptr = last_comment_position;
784 }
785
786 /* Use goto to get here from the bare local part case. Arrive by falling
787 through for other cases. Endptr may have been moved over whitespace, so
788 move it back past white space if necessary. */
789
790 PARSE_SUCCEEDED:
791 if (*s != 0)
792 {
793 if (f.parse_found_group && *s == ';')
794 {
795 f.parse_found_group = FALSE;
796 f.parse_allow_group = TRUE;
797 }
798 else
799 {
800 *errorptr = string_sprintf("malformed address: %.32s may not follow %.*s",
801 s, (int)(s - US mailbox), mailbox);
802 goto PARSE_FAILED;
803 }
804 }
805 *start = startptr - US mailbox; /* Return offsets */
806 while (isspace(endptr[-1])) endptr--;
807 *end = endptr - US mailbox;
808
809 /* Although this code has no limitation on the length of address extracted,
810 other parts of Exim may have limits, and in any case, RFC 2821 limits local
811 parts to 64 and domains to 255, so we do a check here, giving an error if the
812 address is ridiculously long. */
813
814 if (*end - *start > ADDRESS_MAXLENGTH)
815 {
816 *errorptr = string_sprintf("address is ridiculously long: %.64s...", yield);
817 return NULL;
818 }
819
820 return yield;
821
822 /* Use goto (via the macro FAILED) to get to here from a variety of places.
823 We might have an empty address in a group - the caller can choose to ignore
824 this. We must, however, keep the flags correct. */
825
826 PARSE_FAILED:
827 if (f.parse_found_group && *s == ';')
828 {
829 f.parse_found_group = FALSE;
830 f.parse_allow_group = TRUE;
831 }
832 return NULL;
833 }
834
835 #undef FAILED
836
837
838
839 /*************************************************
840 * Quote according to RFC 2047 *
841 *************************************************/
842
843 /* This function is used for quoting text in headers according to RFC 2047.
844 If the only characters that strictly need quoting are spaces, we return the
845 original string, unmodified. If a quoted string is too long for the buffer, it
846 is truncated. (This shouldn't happen: this is normally handling short strings.)
847
848 Hmmph. As always, things get perverted for other uses. This function was
849 originally for the "phrase" part of addresses. Now it is being used for much
850 longer texts in ACLs and via the ${rfc2047: expansion item. This means we have
851 to check for overlong "encoded-word"s and split them. November 2004.
852
853 Arguments:
854 string the string to quote - already checked to contain non-printing
855 chars
856 len the length of the string
857 charset the name of the character set; NULL => iso-8859-1
858 buffer the buffer to put the answer in
859 buffer_size the size of the buffer
860 fold if TRUE, a newline is inserted before the separating space when
861 more than one encoded-word is generated
862
863 Returns: pointer to the original string, if no quoting needed, or
864 pointer to buffer containing the quoted string, or
865 a pointer to "String too long" if the buffer can't even hold
866 the introduction
867 */
868
869 const uschar *
870 parse_quote_2047(const uschar *string, int len, uschar *charset, uschar *buffer,
871 int buffer_size, BOOL fold)
872 {
873 const uschar *s = string;
874 uschar *p, *t;
875 int hlen;
876 BOOL coded = FALSE;
877 BOOL first_byte = FALSE;
878
879 if (!charset) charset = US"iso-8859-1";
880
881 /* We don't expect this to fail! */
882
883 if (!string_format(buffer, buffer_size, "=?%s?Q?", charset))
884 return US"String too long";
885
886 hlen = Ustrlen(buffer);
887 t = buffer + hlen;
888 p = buffer;
889
890 for (; len > 0; len--)
891 {
892 int ch = *s++;
893 if (t > buffer + buffer_size - hlen - 8) break;
894
895 if ((t - p > 67) && !first_byte)
896 {
897 *t++ = '?';
898 *t++ = '=';
899 if (fold) *t++ = '\n';
900 *t++ = ' ';
901 p = t;
902 Ustrncpy(p, buffer, hlen);
903 t += hlen;
904 }
905
906 if (ch < 33 || ch > 126 ||
907 Ustrchr("?=()<>@,;:\\\".[]_", ch) != NULL)
908 {
909 if (ch == ' ')
910 {
911 *t++ = '_';
912 first_byte = FALSE;
913 }
914 else
915 {
916 t += sprintf(CS t, "=%02X", ch);
917 coded = TRUE;
918 first_byte = !first_byte;
919 }
920 }
921 else { *t++ = ch; first_byte = FALSE; }
922 }
923
924 *t++ = '?';
925 *t++ = '=';
926 *t = 0;
927
928 return coded ? buffer : string;
929 }
930
931
932
933
934 /*************************************************
935 * Fix up an RFC 822 "phrase" *
936 *************************************************/
937
938 /* This function is called to repair any syntactic defects in the "phrase" part
939 of an RFC822 address. In particular, it is applied to the user's name as read
940 from the passwd file when accepting a local message, and to the data from the
941 -F option.
942
943 If the string contains existing quoted strings or comments containing
944 freestanding quotes, then we just quote those bits that need quoting -
945 otherwise it would get awfully messy and probably not look good. If not, we
946 quote the whole thing if necessary. Thus
947
948 John Q. Smith => "John Q. Smith"
949 John "Jack" Smith => John "Jack" Smith
950 John "Jack" Q. Smith => John "Jack" "Q." Smith
951 John (Jack) Q. Smith => "John (Jack) Q. Smith"
952 John ("Jack") Q. Smith => John ("Jack") "Q." Smith
953 but
954 John (\"Jack\") Q. Smith => "John (\"Jack\") Q. Smith"
955
956 Sheesh! This is tedious code. It is a great pity that the syntax of RFC822 is
957 the way it is...
958
959 August 2000: Additional code added:
960
961 Previously, non-printing characters were turned into question marks, which do
962 not need to be quoted.
963
964 Now, a different tactic is used if there are any non-printing ASCII
965 characters. The encoding method from RFC 2047 is used, assuming iso-8859-1 as
966 the character set.
967
968 We *could* use this for all cases, getting rid of the messy original code,
969 but leave it for now. It would complicate simple cases like "John Q. Smith".
970
971 The result is passed back in the buffer; it is usually going to be added to
972 some other string. In order to be sure there is going to be no overflow,
973 restrict the length of the input to 1/4 of the buffer size - this allows for
974 every single character to be quoted or encoded without overflowing, and that
975 wouldn't happen because of amalgamation. If the phrase is too long, return a
976 fixed string.
977
978 Arguments:
979 phrase an RFC822 phrase
980 len the length of the phrase
981 buffer a buffer to put the result in
982 buffer_size the size of the buffer
983
984 Returns: the fixed RFC822 phrase
985 */
986
987 const uschar *
988 parse_fix_phrase(const uschar *phrase, int len, uschar *buffer, int buffer_size)
989 {
990 int ch, i;
991 BOOL quoted = FALSE;
992 const uschar *s, *end;
993 uschar *t, *yield;
994
995 while (len > 0 && isspace(*phrase)) { phrase++; len--; }
996 if (len > buffer_size/4) return US"Name too long";
997
998 /* See if there are any non-printing characters, and if so, use the RFC 2047
999 encoding for the whole thing. */
1000
1001 for (i = 0, s = phrase; i < len; i++, s++)
1002 if ((*s < 32 && *s != '\t') || *s > 126) break;
1003
1004 if (i < len) return parse_quote_2047(phrase, len, headers_charset, buffer,
1005 buffer_size, FALSE);
1006
1007 /* No non-printers; use the RFC 822 quoting rules */
1008
1009 s = phrase;
1010 end = s + len;
1011 yield = t = buffer + 1;
1012
1013 while (s < end)
1014 {
1015 ch = *s++;
1016
1017 /* Copy over quoted strings, remembering we encountered one */
1018
1019 if (ch == '\"')
1020 {
1021 *t++ = '\"';
1022 while (s < end && (ch = *s++) != '\"')
1023 {
1024 *t++ = ch;
1025 if (ch == '\\' && s < end) *t++ = *s++;
1026 }
1027 *t++ = '\"';
1028 if (s >= end) break;
1029 quoted = TRUE;
1030 }
1031
1032 /* Copy over comments, noting if they contain freestanding quote
1033 characters */
1034
1035 else if (ch == '(')
1036 {
1037 int level = 1;
1038 *t++ = '(';
1039 while (s < end)
1040 {
1041 ch = *s++;
1042 *t++ = ch;
1043 if (ch == '(') level++;
1044 else if (ch == ')') { if (--level <= 0) break; }
1045 else if (ch == '\\' && s < end) *t++ = *s++ & 127;
1046 else if (ch == '\"') quoted = TRUE;
1047 }
1048 if (ch == 0)
1049 {
1050 while (level--) *t++ = ')';
1051 break;
1052 }
1053 }
1054
1055 /* Handle special characters that need to be quoted */
1056
1057 else if (Ustrchr(")<>@,;:\\.[]", ch) != NULL)
1058 {
1059 /* If hit previous quotes just make one quoted "word" */
1060
1061 if (quoted)
1062 {
1063 uschar *tt = t++;
1064 while (*(--tt) != ' ' && *tt != '\"' && *tt != ')') tt[1] = *tt;
1065 tt[1] = '\"';
1066 *t++ = ch;
1067 while (s < end)
1068 {
1069 ch = *s++;
1070 if (ch == ' ' || ch == '\"') { s--; break; } else *t++ = ch;
1071 }
1072 *t++ = '\"';
1073 }
1074
1075 /* Else quote the whole string so far, and the rest up to any following
1076 quotes. We must treat anything following a backslash as a literal. */
1077
1078 else
1079 {
1080 BOOL escaped = (ch == '\\');
1081 *(--yield) = '\"';
1082 *t++ = ch;
1083
1084 /* Now look for the end or a quote */
1085
1086 while (s < end)
1087 {
1088 ch = *s++;
1089
1090 /* Handle escaped pairs */
1091
1092 if (escaped)
1093 {
1094 *t++ = ch;
1095 escaped = FALSE;
1096 }
1097
1098 else if (ch == '\\')
1099 {
1100 *t++ = ch;
1101 escaped = TRUE;
1102 }
1103
1104 /* If hit subsequent quotes, insert our quote before any trailing
1105 spaces and back up to re-handle the quote in the outer loop. */
1106
1107 else if (ch == '\"')
1108 {
1109 int count = 0;
1110 while (t[-1] == ' ') { t--; count++; }
1111 *t++ = '\"';
1112 while (count-- > 0) *t++ = ' ';
1113 s--;
1114 break;
1115 }
1116
1117 /* If hit a subsequent comment, check it for unescaped quotes,
1118 and if so, end our quote before it. */
1119
1120 else if (ch == '(')
1121 {
1122 const uschar *ss = s; /* uschar after '(' */
1123 int level = 1;
1124 while(ss < end)
1125 {
1126 ch = *ss++;
1127 if (ch == '(') level++;
1128 else if (ch == ')') { if (--level <= 0) break; }
1129 else if (ch == '\\' && ss+1 < end) ss++;
1130 else if (ch == '\"') { quoted = TRUE; break; }
1131 }
1132
1133 /* Comment contains unescaped quotes; end our quote before
1134 the start of the comment. */
1135
1136 if (quoted)
1137 {
1138 int count = 0;
1139 while (t[-1] == ' ') { t--; count++; }
1140 *t++ = '\"';
1141 while (count-- > 0) *t++ = ' ';
1142 break;
1143 }
1144
1145 /* Comment does not contain unescaped quotes; include it in
1146 our quote. */
1147
1148 else
1149 {
1150 if (ss >= end) ss--;
1151 *t++ = '(';
1152 Ustrncpy(t, s, ss-s);
1153 t += ss-s;
1154 s = ss;
1155 }
1156 }
1157
1158 /* Not a comment or quote; include this character in our quotes. */
1159
1160 else *t++ = ch;
1161 }
1162 }
1163
1164 /* Add a final quote if we hit the end of the string. */
1165
1166 if (s >= end) *t++ = '\"';
1167 }
1168
1169 /* Non-special character; just copy it over */
1170
1171 else *t++ = ch;
1172 }
1173
1174 *t = 0;
1175 return yield;
1176 }
1177
1178
1179 /*************************************************
1180 * Extract addresses from a list *
1181 *************************************************/
1182
1183 /* This function is called by the redirect router to scan a string containing a
1184 list of addresses separated by commas (with optional white space) or by
1185 newlines, and to generate a chain of address items from them. In other words,
1186 to unpick data from an alias or .forward file.
1187
1188 The SunOS5 documentation for alias files is not very clear on the syntax; it
1189 does not say that either a comma or a newline can be used for separation.
1190 However, that is the way Smail does it, so we follow suit.
1191
1192 If a # character is encountered in a white space position, then characters from
1193 there to the next newline are skipped.
1194
1195 If an unqualified address begins with '\', just skip that character. This gives
1196 compatibility with Sendmail's use of \ to prevent looping. Exim has its own
1197 loop prevention scheme which handles other cases too - see the code in
1198 route_address().
1199
1200 An "address" can be a specification of a file or a pipe; the latter may often
1201 need to be quoted because it may contain spaces, but we don't want to retain
1202 the quotes. Quotes may appear in normal addresses too, and should be retained.
1203 We can distinguish between these cases, because in addresses, quotes are used
1204 only for parts of the address, not the whole thing. Therefore, we remove quotes
1205 from items when they entirely enclose them, but not otherwise.
1206
1207 An "address" can also be of the form :include:pathname to include a list of
1208 addresses contained in the specified file.
1209
1210 Any unqualified addresses are qualified with and rewritten if necessary, via
1211 the rewrite_address() function.
1212
1213 Arguments:
1214 s the list of addresses (typically a complete
1215 .forward file or a list of entries in an alias file)
1216 options option bits for permitting or denying various special cases;
1217 not all bits are relevant here - some are for filter
1218 files; those we use here are:
1219 RDO_DEFER
1220 RDO_FREEZE
1221 RDO_FAIL
1222 RDO_BLACKHOLE
1223 RDO_REWRITE
1224 RDO_INCLUDE
1225 anchor where to hang the chain of newly-created addresses. This
1226 should be initialized to NULL.
1227 error where to return an error text
1228 incoming domain domain of the incoming address; used to qualify unqualified
1229 local parts preceded by \
1230 directory if NULL, no checks are done on :include: files
1231 otherwise, included file names must start with the given
1232 directory
1233 syntax_errors if not NULL, it carries on after syntax errors in addresses,
1234 building up a list of errors as error blocks chained on
1235 here.
1236
1237 Returns: FF_DELIVERED addresses extracted
1238 FF_NOTDELIVERED no addresses extracted, but no errors
1239 FF_BLACKHOLE :blackhole:
1240 FF_DEFER :defer:
1241 FF_FAIL :fail:
1242 FF_INCLUDEFAIL some problem with :include:; *error set
1243 FF_ERROR other problems; *error is set
1244 */
1245
1246 int
1247 parse_forward_list(uschar *s, int options, address_item **anchor,
1248 uschar **error, const uschar *incoming_domain, uschar *directory,
1249 error_block **syntax_errors)
1250 {
1251 int count = 0;
1252
1253 DEBUG(D_route) debug_printf("parse_forward_list: %s\n", s);
1254
1255 for (;;)
1256 {
1257 int len;
1258 int special = 0;
1259 int specopt = 0;
1260 int specbit = 0;
1261 uschar *ss, *nexts;
1262 address_item *addr;
1263 BOOL inquote = FALSE;
1264
1265 for (;;)
1266 {
1267 while (isspace(*s) || *s == ',') s++;
1268 if (*s == '#') { while (*s != 0 && *s != '\n') s++; } else break;
1269 }
1270
1271 /* When we reach the end of the list, we return FF_DELIVERED if any child
1272 addresses have been generated. If nothing has been generated, there are two
1273 possibilities: either the list is really empty, or there were syntax errors
1274 that are being skipped. (If syntax errors are not being skipped, an FF_ERROR
1275 return is generated on hitting a syntax error and we don't get here.) For a
1276 truly empty list we return FF_NOTDELIVERED so that the router can decline.
1277 However, if the list is empty only because syntax errors were skipped, we
1278 return FF_DELIVERED. */
1279
1280 if (!*s)
1281 {
1282 return (count > 0 || (syntax_errors && *syntax_errors))
1283 ? FF_DELIVERED : FF_NOTDELIVERED;
1284
1285 /* This previous code returns FF_ERROR if nothing is generated but a
1286 syntax error has been skipped. I now think it is the wrong approach, but
1287 have left this here just in case, and for the record. */
1288
1289 #ifdef NEVER
1290 if (count > 0) return FF_DELIVERED; /* Something was generated */
1291
1292 if (syntax_errors == NULL || /* Not skipping syntax errors, or */
1293 *syntax_errors == NULL) /* we didn't actually skip any */
1294 return FF_NOTDELIVERED;
1295
1296 *error = string_sprintf("no addresses generated: syntax error in %s: %s",
1297 (*syntax_errors)->text2, (*syntax_errors)->text1);
1298 return FF_ERROR;
1299 #endif
1300
1301 }
1302
1303 /* Find the end of the next address. Quoted strings in addresses may contain
1304 escaped characters; I haven't found a proper specification of .forward or
1305 alias files that mentions the quoting properties, but it seems right to do
1306 the escaping thing in all cases, so use the function that finds the end of an
1307 address. However, don't let a quoted string extend over the end of a line. */
1308
1309 ss = parse_find_address_end(s, TRUE);
1310
1311 /* Remember where we finished, for starting the next one. */
1312
1313 nexts = ss;
1314
1315 /* Remove any trailing spaces; we know there's at least one non-space. */
1316
1317 while (isspace((ss[-1]))) ss--;
1318
1319 /* We now have s->start and ss->end of the next address. Remove quotes
1320 if they completely enclose, remembering the address started with a quote
1321 for handling pipes and files. Another round of removal of leading and
1322 trailing spaces is then required. */
1323
1324 if (*s == '\"' && ss[-1] == '\"')
1325 {
1326 s++;
1327 ss--;
1328 inquote = TRUE;
1329 while (s < ss && isspace(*s)) s++;
1330 while (ss > s && isspace((ss[-1]))) ss--;
1331 }
1332
1333 /* Set up the length of the address. */
1334
1335 len = ss - s;
1336
1337 DEBUG(D_route)
1338 {
1339 int save = s[len];
1340 s[len] = 0;
1341 debug_printf("extract item: %s\n", s);
1342 s[len] = save;
1343 }
1344
1345 /* Handle special addresses if permitted. If the address is :unknown:
1346 ignore it - this is for backward compatibility with old alias files. You
1347 don't need to use it nowadays - just generate an empty string. For :defer:,
1348 :blackhole:, or :fail: we have to set up the error message and give up right
1349 away. */
1350
1351 if (Ustrncmp(s, ":unknown:", len) == 0)
1352 {
1353 s = nexts;
1354 continue;
1355 }
1356
1357 if (Ustrncmp(s, ":defer:", 7) == 0)
1358 { special = FF_DEFER; specopt = RDO_DEFER; } /* specbit is 0 */
1359 else if (Ustrncmp(s, ":blackhole:", 11) == 0)
1360 { special = FF_BLACKHOLE; specopt = specbit = RDO_BLACKHOLE; }
1361 else if (Ustrncmp(s, ":fail:", 6) == 0)
1362 { special = FF_FAIL; specopt = RDO_FAIL; } /* specbit is 0 */
1363
1364 if (special != 0)
1365 {
1366 uschar *ss = Ustrchr(s+1, ':') + 1;
1367 if ((options & specopt) == specbit)
1368 {
1369 *error = string_sprintf("\"%.*s\" is not permitted", len, s);
1370 return FF_ERROR;
1371 }
1372 while (*ss != 0 && isspace(*ss)) ss++;
1373 while (s[len] != 0 && s[len] != '\n') len++;
1374 s[len] = 0;
1375 *error = string_copy(ss);
1376 return special;
1377 }
1378
1379 /* If the address is of the form :include:pathname, read the file, and call
1380 this function recursively to extract the addresses from it. If directory is
1381 NULL, do no checks. Otherwise, insist that the file name starts with the
1382 given directory and is a regular file. */
1383
1384 if (Ustrncmp(s, ":include:", 9) == 0)
1385 {
1386 uschar *filebuf;
1387 uschar filename[256];
1388 uschar *t = s+9;
1389 int flen = len - 9;
1390 int frc;
1391 struct stat statbuf;
1392 address_item *last;
1393 FILE *f;
1394
1395 while (flen > 0 && isspace(*t)) { t++; flen--; }
1396
1397 if (flen <= 0)
1398 {
1399 *error = US"file name missing after :include:";
1400 return FF_ERROR;
1401 }
1402
1403 if (flen > 255)
1404 {
1405 *error = string_sprintf("included file name \"%s\" is too long", t);
1406 return FF_ERROR;
1407 }
1408
1409 Ustrncpy(filename, t, flen);
1410 filename[flen] = 0;
1411
1412 /* Insist on absolute path */
1413
1414 if (filename[0] != '/')
1415 {
1416 *error = string_sprintf("included file \"%s\" is not an absolute path",
1417 filename);
1418 return FF_ERROR;
1419 }
1420
1421 /* Check if include is permitted */
1422
1423 if (options & RDO_INCLUDE)
1424 {
1425 *error = US"included files not permitted";
1426 return FF_ERROR;
1427 }
1428
1429 if (is_tainted(filename))
1430 {
1431 *error = string_sprintf("Tainted name '%s' for included file not permitted\n",
1432 filename);
1433 return FF_ERROR;
1434 }
1435
1436 /* Check file name if required */
1437
1438 if (directory)
1439 {
1440 int len = Ustrlen(directory);
1441 uschar *p = filename + len;
1442
1443 if (Ustrncmp(filename, directory, len) != 0 || *p != '/')
1444 {
1445 *error = string_sprintf("included file %s is not in directory %s",
1446 filename, directory);
1447 return FF_ERROR;
1448 }
1449
1450 #ifdef EXIM_HAVE_OPENAT
1451 /* It is necessary to check that every component inside the directory
1452 is NOT a symbolic link, in order to keep the file inside the directory.
1453 This is mighty tedious. We open the directory and openat every component,
1454 with a flag that fails symlinks. */
1455
1456 {
1457 int fd = exim_open2(CS directory, O_RDONLY);
1458 if (fd < 0)
1459 {
1460 *error = string_sprintf("failed to open directory %s", directory);
1461 return FF_ERROR;
1462 }
1463 while (*p)
1464 {
1465 uschar temp;
1466 int fd2;
1467 uschar * q = p;
1468
1469 while (*++p && *p != '/') ;
1470 temp = *p;
1471 *p = '\0';
1472
1473 fd2 = exim_openat(fd, CS q, O_RDONLY|O_NOFOLLOW);
1474 close(fd);
1475 *p = temp;
1476 if (fd2 < 0)
1477 {
1478 *error = string_sprintf("failed to open %s (component of included "
1479 "file); could be symbolic link", filename);
1480 return FF_ERROR;
1481 }
1482 fd = fd2;
1483 }
1484 f = fdopen(fd, "rb");
1485 }
1486 #else
1487 /* It is necessary to check that every component inside the directory
1488 is NOT a symbolic link, in order to keep the file inside the directory.
1489 This is mighty tedious. It is also not totally foolproof in that it
1490 leaves the possibility of a race attack, but I don't know how to do
1491 any better. */
1492
1493 while (*p)
1494 {
1495 int temp;
1496 while (*++p && *p != '/');
1497 temp = *p;
1498 *p = 0;
1499 if (Ulstat(filename, &statbuf) != 0)
1500 {
1501 *error = string_sprintf("failed to stat %s (component of included "
1502 "file)", filename);
1503 *p = temp;
1504 return FF_ERROR;
1505 }
1506
1507 *p = temp;
1508
1509 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1510 {
1511 *error = string_sprintf("included file %s in the %s directory "
1512 "involves a symbolic link", filename, directory);
1513 return FF_ERROR;
1514 }
1515 }
1516 #endif
1517 }
1518
1519 #ifdef EXIM_HAVE_OPENAT
1520 else
1521 #endif
1522 /* Open and stat the file */
1523 f = Ufopen(filename, "rb");
1524
1525 if (!f)
1526 {
1527 *error = string_open_failed(errno, "included file %s", filename);
1528 return FF_INCLUDEFAIL;
1529 }
1530
1531 if (fstat(fileno(f), &statbuf) != 0)
1532 {
1533 *error = string_sprintf("failed to stat included file %s: %s",
1534 filename, strerror(errno));
1535 (void)fclose(f);
1536 return FF_INCLUDEFAIL;
1537 }
1538
1539 /* If directory was checked, double check that we opened a regular file */
1540
1541 if (directory && (statbuf.st_mode & S_IFMT) != S_IFREG)
1542 {
1543 *error = string_sprintf("included file %s is not a regular file in "
1544 "the %s directory", filename, directory);
1545 return FF_ERROR;
1546 }
1547
1548 /* Get a buffer and read the contents */
1549
1550 if (statbuf.st_size > MAX_INCLUDE_SIZE)
1551 {
1552 *error = string_sprintf("included file %s is too big (max %d)",
1553 filename, MAX_INCLUDE_SIZE);
1554 return FF_ERROR;
1555 }
1556
1557 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
1558 if (fread(filebuf, 1, statbuf.st_size, f) != statbuf.st_size)
1559 {
1560 *error = string_sprintf("error while reading included file %s: %s",
1561 filename, strerror(errno));
1562 (void)fclose(f);
1563 return FF_ERROR;
1564 }
1565 filebuf[statbuf.st_size] = 0;
1566 (void)fclose(f);
1567
1568 addr = NULL;
1569 frc = parse_forward_list(filebuf, options, &addr,
1570 error, incoming_domain, directory, syntax_errors);
1571 if (frc != FF_DELIVERED && frc != FF_NOTDELIVERED) return frc;
1572
1573 if (addr)
1574 {
1575 for (last = addr; last->next; last = last->next) count++;
1576 last->next = *anchor;
1577 *anchor = addr;
1578 count++;
1579 }
1580 }
1581
1582 /* Else (not :include:) ensure address is syntactically correct and fully
1583 qualified if not a pipe or a file, removing a leading \ if present on an
1584 unqualified address. For pipes and files we must handle quoting. It's
1585 not quite clear exactly what to do for partially quoted things, but the
1586 common case of having the whole thing in quotes is straightforward. If this
1587 was the case, inquote will have been set TRUE above and the quotes removed.
1588
1589 There is a possible ambiguity over addresses whose local parts start with
1590 a vertical bar or a slash, and the latter do in fact occur, thanks to X.400.
1591 Consider a .forward file that contains the line
1592
1593 /X=xxx/Y=xxx/OU=xxx/@some.gate.way
1594
1595 Is this a file or an X.400 address? Does it make any difference if it is in
1596 quotes? On the grounds that file names of this type are rare, Exim treats
1597 something that parses as an RFC 822 address and has a domain as an address
1598 rather than a file or a pipe. This is also how an address such as the above
1599 would be treated if it came in from outside. */
1600
1601 else
1602 {
1603 int start, end, domain;
1604 uschar *recipient = NULL;
1605 int save = s[len];
1606 s[len] = 0;
1607
1608 /* If it starts with \ and the rest of it parses as a valid mail address
1609 without a domain, carry on with that address, but qualify it with the
1610 incoming domain. Otherwise arrange for the address to fall through,
1611 causing an error message on the re-parse. */
1612
1613 if (*s == '\\')
1614 {
1615 recipient =
1616 parse_extract_address(s+1, error, &start, &end, &domain, FALSE);
1617 if (recipient != NULL)
1618 recipient = (domain != 0)? NULL :
1619 string_sprintf("%s@%s", recipient, incoming_domain);
1620 }
1621
1622 /* Try parsing the item as an address. */
1623
1624 if (recipient == NULL) recipient =
1625 parse_extract_address(s, error, &start, &end, &domain, FALSE);
1626
1627 /* If item starts with / or | and is not a valid address, or there
1628 is no domain, treat it as a file or pipe. If it was a quoted item,
1629 remove the quoting occurrences of \ within it. */
1630
1631 if ((*s == '|' || *s == '/') && (recipient == NULL || domain == 0))
1632 {
1633 uschar *t = store_get(Ustrlen(s) + 1, is_tainted(s));
1634 uschar *p = t;
1635 uschar *q = s;
1636 while (*q != 0)
1637 {
1638 if (inquote)
1639 {
1640 *p++ = (*q == '\\')? *(++q) : *q;
1641 q++;
1642 }
1643 else *p++ = *q++;
1644 }
1645 *p = 0;
1646 addr = deliver_make_addr(t, TRUE);
1647 setflag(addr, af_pfr); /* indicates pipe/file/reply */
1648 if (*s != '|') setflag(addr, af_file); /* indicates file */
1649 }
1650
1651 /* Item must be an address. Complain if not, else qualify, rewrite and set
1652 up the control block. It appears that people are in the habit of using
1653 empty addresses but with comments as a way of putting comments into
1654 alias and forward files. Therefore, ignore the error "empty address".
1655 Mailing lists might want to tolerate syntax errors; there is therefore
1656 an option to do so. */
1657
1658 else
1659 {
1660 if (recipient == NULL)
1661 {
1662 if (Ustrcmp(*error, "empty address") == 0)
1663 {
1664 *error = NULL;
1665 s[len] = save;
1666 s = nexts;
1667 continue;
1668 }
1669
1670 if (syntax_errors != NULL)
1671 {
1672 error_block *e = store_get(sizeof(error_block), FALSE);
1673 error_block *last = *syntax_errors;
1674 if (last == NULL) *syntax_errors = e; else
1675 {
1676 while (last->next != NULL) last = last->next;
1677 last->next = e;
1678 }
1679 e->next = NULL;
1680 e->text1 = *error;
1681 e->text2 = string_copy(s);
1682 s[len] = save;
1683 s = nexts;
1684 continue;
1685 }
1686 else
1687 {
1688 *error = string_sprintf("%s in \"%s\"", *error, s);
1689 s[len] = save; /* _after_ using it for *error */
1690 return FF_ERROR;
1691 }
1692 }
1693
1694 /* Address was successfully parsed. Rewrite, and then make an address
1695 block. */
1696
1697 recipient = ((options & RDO_REWRITE) != 0)?
1698 rewrite_address(recipient, TRUE, FALSE, global_rewrite_rules,
1699 rewrite_existflags) :
1700 rewrite_address_qualify(recipient, TRUE);
1701 addr = deliver_make_addr(recipient, TRUE); /* TRUE => copy recipient */
1702 }
1703
1704 /* Restore the final character in the original data, and add to the
1705 output chain. */
1706
1707 s[len] = save;
1708 addr->next = *anchor;
1709 *anchor = addr;
1710 count++;
1711 }
1712
1713 /* Advance pointer for the next address */
1714
1715 s = nexts;
1716 }
1717 }
1718
1719
1720 /*************************************************
1721 * Extract a Message-ID *
1722 *************************************************/
1723
1724 /* This function is used to extract message ids from In-Reply-To: and
1725 References: header lines.
1726
1727 Arguments:
1728 str pointer to the start of the message-id
1729 yield put pointer to the message id (in dynamic memory) here
1730 error put error message here on failure
1731
1732 Returns: points after the processed message-id or NULL on error
1733 */
1734
1735 uschar *
1736 parse_message_id(uschar *str, uschar **yield, uschar **error)
1737 {
1738 uschar *domain = NULL;
1739 uschar *id;
1740 rmark reset_point;
1741
1742 str = skip_comment(str);
1743 if (*str != '<')
1744 {
1745 *error = US"Missing '<' before message-id";
1746 return NULL;
1747 }
1748
1749 /* Getting a block the size of the input string will definitely be sufficient
1750 for the answer, but it may also be very long if we are processing a header
1751 line. Therefore, take care to release unwanted store afterwards. */
1752
1753 reset_point = store_mark();
1754 id = *yield = store_get(Ustrlen(str) + 1, is_tainted(str));
1755 *id++ = *str++;
1756
1757 str = read_addr_spec(str, id, '>', error, &domain);
1758
1759 if (!*error)
1760 {
1761 if (*str != '>') *error = US"Missing '>' after message-id";
1762 else if (domain == NULL) *error = US"domain missing in message-id";
1763 }
1764
1765 if (*error)
1766 {
1767 store_reset(reset_point);
1768 return NULL;
1769 }
1770
1771 while (*id) id++;
1772 *id++ = *str++;
1773 *id++ = 0;
1774 store_release_above(id);
1775
1776 str = skip_comment(str);
1777 return str;
1778 }
1779
1780
1781 /*************************************************
1782 * Parse a fixed digit number *
1783 *************************************************/
1784
1785 /* Parse a string containing an ASCII encoded fixed digits number
1786
1787 Arguments:
1788 str pointer to the start of the ASCII encoded number
1789 n pointer to the resulting value
1790 digits number of required digits
1791
1792 Returns: points after the processed date or NULL on error
1793 */
1794
1795 static uschar *
1796 parse_number(uschar *str, int *n, int digits)
1797 {
1798 *n=0;
1799 while (digits--)
1800 {
1801 if (*str<'0' || *str>'9') return NULL;
1802 *n=10*(*n)+(*str++-'0');
1803 }
1804 return str;
1805 }
1806
1807
1808 /*************************************************
1809 * Parse a RFC 2822 day of week *
1810 *************************************************/
1811
1812 /* Parse the day of the week from a RFC 2822 date, but do not
1813 decode it, because it is only for humans.
1814
1815 Arguments:
1816 str pointer to the start of the day of the week
1817
1818 Returns: points after the parsed day or NULL on error
1819 */
1820
1821 static uschar *
1822 parse_day_of_week(uschar *str)
1823 {
1824 /*
1825 day-of-week = ([FWS] day-name) / obs-day-of-week
1826
1827 day-name = "Mon" / "Tue" / "Wed" / "Thu" /
1828 "Fri" / "Sat" / "Sun"
1829
1830 obs-day-of-week = [CFWS] day-name [CFWS]
1831 */
1832
1833 static const uschar *day_name[7]={ US"mon", US"tue", US"wed", US"thu", US"fri", US"sat", US"sun" };
1834 int i;
1835 uschar day[4];
1836
1837 str=skip_comment(str);
1838 for (i=0; i<3; ++i)
1839 {
1840 if ((day[i]=tolower(*str))=='\0') return NULL;
1841 ++str;
1842 }
1843 day[3]='\0';
1844 for (i=0; i<7; ++i) if (Ustrcmp(day,day_name[i])==0) break;
1845 if (i==7) return NULL;
1846 str=skip_comment(str);
1847 return str;
1848 }
1849
1850
1851 /*************************************************
1852 * Parse a RFC 2822 date *
1853 *************************************************/
1854
1855 /* Parse the date part of a RFC 2822 date-time, extracting the
1856 day, month and year.
1857
1858 Arguments:
1859 str pointer to the start of the date
1860 d pointer to the resulting day
1861 m pointer to the resulting month
1862 y pointer to the resulting year
1863
1864 Returns: points after the processed date or NULL on error
1865 */
1866
1867 static uschar *
1868 parse_date(uschar *str, int *d, int *m, int *y)
1869 {
1870 /*
1871 date = day month year
1872
1873 year = 4*DIGIT / obs-year
1874
1875 obs-year = [CFWS] 2*DIGIT [CFWS]
1876
1877 month = (FWS month-name FWS) / obs-month
1878
1879 month-name = "Jan" / "Feb" / "Mar" / "Apr" /
1880 "May" / "Jun" / "Jul" / "Aug" /
1881 "Sep" / "Oct" / "Nov" / "Dec"
1882
1883 obs-month = CFWS month-name CFWS
1884
1885 day = ([FWS] 1*2DIGIT) / obs-day
1886
1887 obs-day = [CFWS] 1*2DIGIT [CFWS]
1888 */
1889
1890 uschar *c,*n;
1891 static const uschar *month_name[]={ US"jan", US"feb", US"mar", US"apr", US"may", US"jun", US"jul", US"aug", US"sep", US"oct", US"nov", US"dec" };
1892 int i;
1893 uschar month[4];
1894
1895 str=skip_comment(str);
1896 if ((str=parse_number(str,d,1))==NULL) return NULL;
1897 if (*str>='0' && *str<='9') *d=10*(*d)+(*str++-'0');
1898 c=skip_comment(str);
1899 if (c==str) return NULL;
1900 else str=c;
1901 for (i=0; i<3; ++i) if ((month[i]=tolower(*(str+i)))=='\0') return NULL;
1902 month[3]='\0';
1903 for (i=0; i<12; ++i) if (Ustrcmp(month,month_name[i])==0) break;
1904 if (i==12) return NULL;
1905 str+=3;
1906 *m=i;
1907 c=skip_comment(str);
1908 if (c==str) return NULL;
1909 else str=c;
1910 if ((n=parse_number(str,y,4)))
1911 {
1912 str=n;
1913 if (*y<1900) return NULL;
1914 *y=*y-1900;
1915 }
1916 else if ((n=parse_number(str,y,2)))
1917 {
1918 str=skip_comment(n);
1919 while (*(str-1)==' ' || *(str-1)=='\t') --str; /* match last FWS later */
1920 if (*y<50) *y+=100;
1921 }
1922 else return NULL;
1923 return str;
1924 }
1925
1926
1927 /*************************************************
1928 * Parse a RFC 2822 Time *
1929 *************************************************/
1930
1931 /* Parse the time part of a RFC 2822 date-time, extracting the
1932 hour, minute, second and timezone.
1933
1934 Arguments:
1935 str pointer to the start of the time
1936 h pointer to the resulting hour
1937 m pointer to the resulting minute
1938 s pointer to the resulting second
1939 z pointer to the resulting timezone (offset in seconds)
1940
1941 Returns: points after the processed time or NULL on error
1942 */
1943
1944 static uschar *
1945 parse_time(uschar *str, int *h, int *m, int *s, int *z)
1946 {
1947 /*
1948 time = time-of-day FWS zone
1949
1950 time-of-day = hour ":" minute [ ":" second ]
1951
1952 hour = 2DIGIT / obs-hour
1953
1954 obs-hour = [CFWS] 2DIGIT [CFWS]
1955
1956 minute = 2DIGIT / obs-minute
1957
1958 obs-minute = [CFWS] 2DIGIT [CFWS]
1959
1960 second = 2DIGIT / obs-second
1961
1962 obs-second = [CFWS] 2DIGIT [CFWS]
1963
1964 zone = (( "+" / "-" ) 4DIGIT) / obs-zone
1965
1966 obs-zone = "UT" / "GMT" / ; Universal Time
1967 ; North American UT
1968 ; offsets
1969 "EST" / "EDT" / ; Eastern: - 5/ - 4
1970 "CST" / "CDT" / ; Central: - 6/ - 5
1971 "MST" / "MDT" / ; Mountain: - 7/ - 6
1972 "PST" / "PDT" / ; Pacific: - 8/ - 7
1973
1974 %d65-73 / ; Military zones - "A"
1975 %d75-90 / ; through "I" and "K"
1976 %d97-105 / ; through "Z", both
1977 %d107-122 ; upper and lower case
1978 */
1979
1980 uschar *c;
1981
1982 str=skip_comment(str);
1983 if ((str=parse_number(str,h,2))==NULL) return NULL;
1984 str=skip_comment(str);
1985 if (*str!=':') return NULL;
1986 ++str;
1987 str=skip_comment(str);
1988 if ((str=parse_number(str,m,2))==NULL) return NULL;
1989 c=skip_comment(str);
1990 if (*str==':')
1991 {
1992 ++str;
1993 str=skip_comment(str);
1994 if ((str=parse_number(str,s,2))==NULL) return NULL;
1995 c=skip_comment(str);
1996 }
1997 if (c==str) return NULL;
1998 else str=c;
1999 if (*str=='+' || *str=='-')
2000 {
2001 int neg;
2002
2003 neg=(*str=='-');
2004 ++str;
2005 if ((str=parse_number(str,z,4))==NULL) return NULL;
2006 *z=(*z/100)*3600+(*z%100)*60;
2007 if (neg) *z=-*z;
2008 }
2009 else
2010 {
2011 char zone[5];
2012 struct { const char *name; int off; } zone_name[10]=
2013 { {"gmt",0}, {"ut",0}, {"est",-5}, {"edt",-4}, {"cst",-6}, {"cdt",-5}, {"mst",-7}, {"mdt",-6}, {"pst",-8}, {"pdt",-7}};
2014 int i,j;
2015
2016 for (i=0; i<4; ++i)
2017 {
2018 zone[i]=tolower(*(str+i));
2019 if (zone[i]<'a' || zone[i]>'z') break;
2020 }
2021 zone[i]='\0';
2022 for (j=0; j<10 && strcmp(zone,zone_name[j].name); ++j);
2023 /* Besides zones named in the grammar, RFC 2822 says other alphabetic */
2024 /* time zones should be treated as unknown offsets. */
2025 if (j<10)
2026 {
2027 *z=zone_name[j].off*3600;
2028 str+=i;
2029 }
2030 else if (zone[0]<'a' || zone[1]>'z') return 0;
2031 else
2032 {
2033 while ((*str>='a' && *str<='z') || (*str>='A' && *str<='Z')) ++str;
2034 *z=0;
2035 }
2036 }
2037 return str;
2038 }
2039
2040
2041 /*************************************************
2042 * Parse a RFC 2822 date-time *
2043 *************************************************/
2044
2045 /* Parse a RFC 2822 date-time and return it in seconds since the epoch.
2046
2047 Arguments:
2048 str pointer to the start of the date-time
2049 t pointer to the parsed time
2050
2051 Returns: points after the processed date-time or NULL on error
2052 */
2053
2054 uschar *
2055 parse_date_time(uschar *str, time_t *t)
2056 {
2057 /*
2058 date-time = [ day-of-week "," ] date FWS time [CFWS]
2059 */
2060
2061 struct tm tm;
2062 int zone;
2063 extern char **environ;
2064 char **old_environ;
2065 static char gmt0[]="TZ=GMT0";
2066 static char *gmt_env[]={ gmt0, (char*)0 };
2067 uschar *try;
2068
2069 if ((try=parse_day_of_week(str)))
2070 {
2071 str=try;
2072 if (*str!=',') return 0;
2073 ++str;
2074 }
2075 if ((str=parse_date(str,&tm.tm_mday,&tm.tm_mon,&tm.tm_year))==NULL) return NULL;
2076 if (*str!=' ' && *str!='\t') return NULL;
2077 while (*str==' ' || *str=='\t') ++str;
2078 if ((str=parse_time(str,&tm.tm_hour,&tm.tm_min,&tm.tm_sec,&zone))==NULL) return NULL;
2079 tm.tm_isdst=0;
2080 old_environ=environ;
2081 environ=gmt_env;
2082 *t=mktime(&tm);
2083 environ=old_environ;
2084 if (*t==-1) return NULL;
2085 *t-=zone;
2086 str=skip_comment(str);
2087 return str;
2088 }
2089
2090
2091
2092
2093 /*************************************************
2094 **************************************************
2095 * Stand-alone test program *
2096 **************************************************
2097 *************************************************/
2098
2099 #if defined STAND_ALONE
2100 int main(void)
2101 {
2102 int start, end, domain;
2103 uschar buffer[1024];
2104 uschar outbuff[1024];
2105
2106 big_buffer = store_malloc(big_buffer_size);
2107
2108 /* strip_trailing_dot = TRUE; */
2109 allow_domain_literals = TRUE;
2110
2111 printf("Testing parse_fix_phrase\n");
2112
2113 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2114 {
2115 buffer[Ustrlen(buffer)-1] = 0;
2116 if (buffer[0] == 0) break;
2117 printf("%s\n", CS parse_fix_phrase(buffer, Ustrlen(buffer), outbuff,
2118 sizeof(outbuff)));
2119 }
2120
2121 printf("Testing parse_extract_address without group syntax and without UTF-8\n");
2122
2123 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2124 {
2125 uschar *out;
2126 uschar *errmess;
2127 buffer[Ustrlen(buffer) - 1] = 0;
2128 if (buffer[0] == 0) break;
2129 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2130 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2131 {
2132 uschar extract[1024];
2133 Ustrncpy(extract, buffer+start, end-start);
2134 extract[end-start] = 0;
2135 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2136 }
2137 }
2138
2139 printf("Testing parse_extract_address without group syntax but with UTF-8\n");
2140
2141 allow_utf8_domains = TRUE;
2142 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2143 {
2144 uschar *out;
2145 uschar *errmess;
2146 buffer[Ustrlen(buffer) - 1] = 0;
2147 if (buffer[0] == 0) break;
2148 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2149 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2150 {
2151 uschar extract[1024];
2152 Ustrncpy(extract, buffer+start, end-start);
2153 extract[end-start] = 0;
2154 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2155 }
2156 }
2157 allow_utf8_domains = FALSE;
2158
2159 printf("Testing parse_extract_address with group syntax\n");
2160
2161 f.parse_allow_group = TRUE;
2162 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2163 {
2164 uschar *out;
2165 uschar *errmess;
2166 uschar *s;
2167 buffer[Ustrlen(buffer) - 1] = 0;
2168 if (buffer[0] == 0) break;
2169 s = buffer;
2170 while (*s != 0)
2171 {
2172 uschar *ss = parse_find_address_end(s, FALSE);
2173 int terminator = *ss;
2174 *ss = 0;
2175 out = parse_extract_address(buffer, &errmess, &start, &end, &domain, FALSE);
2176 *ss = terminator;
2177
2178 if (out == NULL) printf("*** bad address: %s\n", errmess); else
2179 {
2180 uschar extract[1024];
2181 Ustrncpy(extract, buffer+start, end-start);
2182 extract[end-start] = 0;
2183 printf("%s %d %d %d \"%s\"\n", out, start, end, domain, extract);
2184 }
2185
2186 s = ss + (terminator? 1:0);
2187 while (isspace(*s)) s++;
2188 }
2189 }
2190
2191 printf("Testing parse_find_at\n");
2192
2193 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2194 {
2195 uschar *s;
2196 buffer[Ustrlen(buffer)-1] = 0;
2197 if (buffer[0] == 0) break;
2198 s = parse_find_at(buffer);
2199 if (s == NULL) printf("no @ found\n");
2200 else printf("offset = %d\n", s - buffer);
2201 }
2202
2203 printf("Testing parse_extract_addresses\n");
2204
2205 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2206 {
2207 uschar *errmess;
2208 int extracted;
2209 address_item *anchor = NULL;
2210 buffer[Ustrlen(buffer) - 1] = 0;
2211 if (buffer[0] == 0) break;
2212 if ((extracted = parse_forward_list(buffer, -1, &anchor,
2213 &errmess, US"incoming.domain", NULL, NULL)) == FF_DELIVERED)
2214 {
2215 while (anchor != NULL)
2216 {
2217 address_item *addr = anchor;
2218 anchor = anchor->next;
2219 printf("%d %s\n", testflag(addr, af_pfr), addr->address);
2220 }
2221 }
2222 else printf("Failed: %d %s\n", extracted, errmess);
2223 }
2224
2225 printf("Testing parse_message_id\n");
2226
2227 while (Ufgets(buffer, sizeof(buffer), stdin) != NULL)
2228 {
2229 uschar *s, *t, *errmess;
2230 buffer[Ustrlen(buffer) - 1] = 0;
2231 if (buffer[0] == 0) break;
2232 s = buffer;
2233 while (*s != 0)
2234 {
2235 s = parse_message_id(s, &t, &errmess);
2236 if (errmess != NULL)
2237 {
2238 printf("Failed: %s\n", errmess);
2239 break;
2240 }
2241 printf("%s\n", t);
2242 }
2243 }
2244
2245 return 0;
2246 }
2247
2248 #endif
2249
2250 /* End of parse.c */
Unnamed repository; edit this file 'description' to name the repository.