labelled-process fork function
[exim.git] / src / src / rda.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9 /* This module contains code for extracting addresses from a forwarding list
10 (from an alias or forward file) or by running the filter interpreter. It may do
11 this in a sub-process if a uid/gid are supplied. */
12
13
14 #include "exim.h"
15
16 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
17
18 #define REPLY_EXISTS 0x01
19 #define REPLY_EXPAND 0x02
20 #define REPLY_RETURN 0x04
21
22
23 /*************************************************
24 * Check string for filter program *
25 *************************************************/
26
27 /* This function checks whether a string is actually a filter program. The rule
28 is that it must start with "# Exim filter ..." (any capitalization, spaces
29 optional). It is envisaged that in future, other kinds of filter may be
30 implemented. That's why it is implemented the way it is. The function is global
31 because it is also called from filter.c when checking filters.
32
33 Argument: the string
34
35 Returns: FILTER_EXIM if it starts with "# Exim filter"
36 FILTER_SIEVE if it starts with "# Sieve filter"
37 FILTER_FORWARD otherwise
38 */
39
40 /* This is an auxiliary function for matching a tag. */
41
42 static BOOL
43 match_tag(const uschar *s, const uschar *tag)
44 {
45 for (; *tag != 0; s++, tag++)
46 if (*tag == ' ')
47 {
48 while (*s == ' ' || *s == '\t') s++;
49 s--;
50 }
51 else
52 if (tolower(*s) != tolower(*tag)) break;
53
54 return (*tag == 0);
55 }
56
57 /* This is the real function. It should be easy to add checking different
58 tags for other types of filter. */
59
60 int
61 rda_is_filter(const uschar *s)
62 {
63 while (isspace(*s)) s++; /* Skips initial blank lines */
64 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
65 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
66 else return FILTER_FORWARD;
67 }
68
69
70
71
72 /*************************************************
73 * Check for existence of file *
74 *************************************************/
75
76 /* First of all, we stat the file. If this fails, we try to stat the enclosing
77 directory, because a file in an unmounted NFS directory will look the same as a
78 non-existent file. It seems that in Solaris 2.6, statting an entry in an
79 indirect map that is currently unmounted does not cause the mount to happen.
80 Instead, dummy data is returned, which defeats the whole point of this test.
81 However, if a stat() is done on some object inside the directory, such as the
82 "." back reference to itself, then the mount does occur. If an NFS host is
83 taken offline, it is possible for the stat() to get stuck until it comes back.
84 To guard against this, stick a timer round it. If we can't access the "."
85 inside the directory, try the plain directory, just in case that helps.
86
87 Argument:
88 filename the file name
89 error for message on error
90
91 Returns: FILE_EXIST the file exists
92 FILE_NOT_EXIST the file does not exist
93 FILE_EXIST_UNCLEAR cannot determine existence
94 */
95
96 static int
97 rda_exists(uschar *filename, uschar **error)
98 {
99 int rc, saved_errno;
100 struct stat statbuf;
101 uschar * s;
102
103 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
104 saved_errno = errno;
105
106 s = string_copy(filename);
107 sigalrm_seen = FALSE;
108
109 if (saved_errno == ENOENT)
110 {
111 uschar * slash = Ustrrchr(s, '/');
112 Ustrcpy(slash+1, US".");
113
114 ALARM(30);
115 rc = Ustat(s, &statbuf);
116 if (rc != 0 && errno == EACCES && !sigalrm_seen)
117 {
118 *slash = 0;
119 rc = Ustat(s, &statbuf);
120 }
121 saved_errno = errno;
122 ALARM_CLR(0);
123
124 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
125 }
126
127 if (sigalrm_seen || rc != 0)
128 {
129 *error = string_sprintf("failed to stat %s (%s)", s,
130 sigalrm_seen? "timeout" : strerror(saved_errno));
131 return FILE_EXIST_UNCLEAR;
132 }
133
134 *error = string_sprintf("%s does not exist", filename);
135 DEBUG(D_route) debug_printf("%s\n", *error);
136 return FILE_NOT_EXIST;
137 }
138
139
140
141 /*************************************************
142 * Get forwarding list from a file *
143 *************************************************/
144
145 /* Open a file and read its entire contents into a block of memory. Certain
146 opening errors are optionally treated the same as "file does not exist".
147
148 ENOTDIR means that something along the line is not a directory: there are
149 installations that set home directories to be /dev/null for non-login accounts
150 but in normal circumstances this indicates some kind of configuration error.
151
152 EACCES means there's a permissions failure. Some users turn off read permission
153 on a .forward file to suspend forwarding, but this is probably an error in any
154 kind of mailing list processing.
155
156 The redirect block that contains the file name also contains constraints such
157 as who may own the file, and mode bits that must not be set. This function is
158
159 Arguments:
160 rdata rdirect block, containing file name and constraints
161 options for the RDO_ENOTDIR and RDO_EACCES options
162 error where to put an error message
163 yield what to return from rda_interpret on error
164
165 Returns: pointer to string in store; NULL on error
166 */
167
168 static uschar *
169 rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
170 int *yield)
171 {
172 FILE *fwd;
173 uschar *filebuf;
174 uschar *filename = rdata->string;
175 BOOL uid_ok = !rdata->check_owner;
176 BOOL gid_ok = !rdata->check_group;
177 struct stat statbuf;
178
179 /* Reading a file is a form of expansion; we wish to deny attackers the
180 capability to specify the file name. */
181
182 if (is_tainted(filename))
183 {
184 *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
185 filename);
186 *yield = FF_ERROR;
187 return NULL;
188 }
189
190 /* Attempt to open the file. If it appears not to exist, check up on the
191 containing directory by statting it. If the directory does not exist, we treat
192 this situation as an error (which will cause delivery to defer); otherwise we
193 pass back FF_NONEXIST, which causes the redirect router to decline.
194
195 However, if the ignore_enotdir option is set (to ignore "something on the
196 path is not a directory" errors), the right behaviour seems to be not to do the
197 directory test. */
198
199 if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
200 {
201 case ENOENT: /* File does not exist */
202 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
203 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
204 *yield =
205 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
206 ? FF_NONEXIST : FF_ERROR;
207 return NULL;
208
209 case ENOTDIR: /* Something on the path isn't a directory */
210 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
211 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
212 "exist\n", filename);
213 *yield = FF_NONEXIST;
214 return NULL;
215
216 case EACCES: /* Permission denied */
217 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
218 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
219 "exist\n", filename);
220 *yield = FF_NONEXIST;
221 return NULL;
222
223 DEFAULT_ERROR:
224 default:
225 *error = string_open_failed(errno, "%s", filename);
226 *yield = FF_ERROR;
227 return NULL;
228 }
229
230 /* Check that we have a regular file. */
231
232 if (fstat(fileno(fwd), &statbuf) != 0)
233 {
234 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
235 goto ERROR_RETURN;
236 }
237
238 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
239 {
240 *error = string_sprintf("%s is not a regular file", filename);
241 goto ERROR_RETURN;
242 }
243
244 /* Check for unwanted mode bits */
245
246 if ((statbuf.st_mode & rdata->modemask) != 0)
247 {
248 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
249 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
250 goto ERROR_RETURN;
251 }
252
253 /* Check the file owner and file group if required to do so. */
254
255 if (!uid_ok)
256 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
257 uid_ok = TRUE;
258 else if (rdata->owners)
259 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
260 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
261
262 if (!gid_ok)
263 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
264 gid_ok = TRUE;
265 else if (rdata->owngroups)
266 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
267 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
268
269 if (!uid_ok || !gid_ok)
270 {
271 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
272 goto ERROR_RETURN;
273 }
274
275 /* Put an upper limit on the size of the file, just to stop silly people
276 feeding in ridiculously large files, which can easily be created by making
277 files that have holes in them. */
278
279 if (statbuf.st_size > MAX_FILTER_SIZE)
280 {
281 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
282 goto ERROR_RETURN;
283 }
284
285 /* Read the file in one go in order to minimize the time we have it open. */
286
287 filebuf = store_get(statbuf.st_size + 1, is_tainted(filename));
288
289 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
290 {
291 *error = string_sprintf("error while reading %s: %s",
292 filename, strerror(errno));
293 goto ERROR_RETURN;
294 }
295 filebuf[statbuf.st_size] = 0;
296
297 DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
298 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
299
300 (void)fclose(fwd);
301 return filebuf;
302
303 /* Return an error: the string is already set up. */
304
305 ERROR_RETURN:
306 *yield = FF_ERROR;
307 (void)fclose(fwd);
308 return NULL;
309 }
310
311
312
313 /*************************************************
314 * Extract info from list or filter *
315 *************************************************/
316
317 /* This function calls the appropriate function to extract addresses from a
318 forwarding list, or to run a filter file and get addresses from there.
319
320 Arguments:
321 rdata the redirection block
322 options the options bits
323 include_directory restrain to this directory
324 sieve_vacation_directory passed to sieve_interpret
325 sieve_enotify_mailto_owner passed to sieve_interpret
326 sieve_useraddress passed to sieve_interpret
327 sieve_subaddress passed to sieve_interpret
328 generated where to hang generated addresses
329 error for error messages
330 eblockp for details of skipped syntax errors
331 (NULL => no skip)
332 filtertype set to the filter type:
333 FILTER_FORWARD => a traditional .forward file
334 FILTER_EXIM => an Exim filter file
335 FILTER_SIEVE => a Sieve filter file
336 a system filter is always forced to be FILTER_EXIM
337
338 Returns: a suitable return for rda_interpret()
339 */
340
341 static int
342 rda_extract(redirect_block *rdata, int options, uschar *include_directory,
343 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
344 uschar *sieve_useraddress, uschar *sieve_subaddress,
345 address_item **generated, uschar **error, error_block **eblockp,
346 int *filtertype)
347 {
348 uschar *data;
349
350 if (rdata->isfile)
351 {
352 int yield = 0;
353 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
354 return yield;
355 }
356 else data = rdata->string;
357
358 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
359
360 /* Filter interpretation is done by a general function that is also called from
361 the filter testing option (-bf). There are two versions: one for Exim filtering
362 and one for Sieve filtering. Several features of string expansion may be locked
363 out at sites that don't trust users. This is done by setting flags in
364 expand_forbid that the expander inspects. */
365
366 if (*filtertype != FILTER_FORWARD)
367 {
368 int frc;
369 int old_expand_forbid = expand_forbid;
370
371 DEBUG(D_route) debug_printf("data is %s filter program\n",
372 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
373
374 /* RDO_FILTER is an "allow" bit */
375
376 if (!(options & RDO_FILTER))
377 {
378 *error = US"filtering not enabled";
379 return FF_ERROR;
380 }
381
382 expand_forbid =
383 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
384
385 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
386
387 if (*filtertype == FILTER_EXIM)
388 {
389 if ((options & RDO_EXIM_FILTER) != 0)
390 {
391 *error = US"Exim filtering not enabled";
392 return FF_ERROR;
393 }
394 frc = filter_interpret(data, options, generated, error);
395 }
396 else
397 {
398 if (options & RDO_SIEVE_FILTER)
399 {
400 *error = US"Sieve filtering not enabled";
401 return FF_ERROR;
402 }
403 frc = sieve_interpret(data, options, sieve_vacation_directory,
404 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
405 generated, error);
406 }
407
408 expand_forbid = old_expand_forbid;
409 return frc;
410 }
411
412 /* Not a filter script */
413
414 DEBUG(D_route) debug_printf("file is not a filter file\n");
415
416 return parse_forward_list(data,
417 options, /* specials that are allowed */
418 generated, /* where to hang them */
419 error, /* for errors */
420 deliver_domain, /* to qualify \name */
421 include_directory, /* restrain to directory */
422 eblockp); /* for skipped syntax errors */
423 }
424
425
426
427
428 /*************************************************
429 * Write string down pipe *
430 *************************************************/
431
432 /* This function is used for transferring a string down a pipe between
433 processes. If the pointer is NULL, a length of zero is written.
434
435 Arguments:
436 fd the pipe
437 s the string
438
439 Returns: -1 on error, else 0
440 */
441
442 static int
443 rda_write_string(int fd, const uschar *s)
444 {
445 int len = (s == NULL)? 0 : Ustrlen(s) + 1;
446 return ( write(fd, &len, sizeof(int)) != sizeof(int)
447 || (s != NULL && write(fd, s, len) != len)
448 )
449 ? -1 : 0;
450 }
451
452
453
454 /*************************************************
455 * Read string from pipe *
456 *************************************************/
457
458 /* This function is used for receiving a string from a pipe.
459
460 Arguments:
461 fd the pipe
462 sp where to put the string
463
464 Returns: FALSE if data missing
465 */
466
467 static BOOL
468 rda_read_string(int fd, uschar **sp)
469 {
470 int len;
471
472 if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
473 if (len == 0)
474 *sp = NULL;
475 else
476 /* We know we have enough memory so disable the error on "len" */
477 /* coverity[tainted_data] */
478 /* We trust the data source, so untainted */
479 if (read(fd, *sp = store_get(len, FALSE), len) != len) return FALSE;
480 return TRUE;
481 }
482
483
484
485 /*************************************************
486 * Interpret forward list or filter *
487 *************************************************/
488
489 /* This function is passed a forward list string (unexpanded) or the name of a
490 file (unexpanded) whose contents are the forwarding list. The list may in fact
491 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
492 types of filter, with different initial tag strings, may be introduced in due
493 course.
494
495 The job of the function is to process the forwarding list or filter. It is
496 pulled out into this separate function, because it is used for system filter
497 files as well as from the redirect router.
498
499 If the function is given a uid/gid, it runs a subprocess that passes the
500 results back via a pipe. This provides security for things like :include:s in
501 users' .forward files, and "logwrite" calls in users' filter files. A
502 sub-process is NOT used when:
503
504 . No uid/gid is provided
505 . The input is a string which is not a filter string, and does not contain
506 :include:
507 . The input is a file whose non-existence can be detected in the main
508 process (which is usually running as root).
509
510 Arguments:
511 rdata redirect data (file + constraints, or data string)
512 options options to pass to the extraction functions,
513 plus ENOTDIR and EACCES handling bits
514 include_directory restrain :include: to this directory
515 sieve_vacation_directory directory passed to sieve_interpret
516 sieve_enotify_mailto_owner passed to sieve_interpret
517 sieve_useraddress passed to sieve_interpret
518 sieve_subaddress passed to sieve_interpret
519 ugid uid/gid to run under - if NULL, no change
520 generated where to hang generated addresses, initially NULL
521 error pointer for error message
522 eblockp for skipped syntax errors; NULL if no skipping
523 filtertype set to the type of file:
524 FILTER_FORWARD => traditional .forward file
525 FILTER_EXIM => an Exim filter file
526 FILTER_SIEVE => a Sieve filter file
527 a system filter is always forced to be FILTER_EXIM
528 rname router name for error messages in the format
529 "xxx router" or "system filter"
530
531 Returns: values from extraction function, or FF_NONEXIST:
532 FF_DELIVERED success, a significant action was taken
533 FF_NOTDELIVERED success, no significant action
534 FF_BLACKHOLE :blackhole:
535 FF_DEFER defer requested
536 FF_FAIL fail requested
537 FF_INCLUDEFAIL some problem with :include:
538 FF_FREEZE freeze requested
539 FF_ERROR there was a problem
540 FF_NONEXIST the file does not exist
541 */
542
543 int
544 rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
545 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
546 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
547 address_item **generated, uschar **error, error_block **eblockp,
548 int *filtertype, uschar *rname)
549 {
550 int fd, rc, pfd[2];
551 int yield, status;
552 BOOL had_disaster = FALSE;
553 pid_t pid;
554 uschar *data;
555 uschar *readerror = US"";
556 void (*oldsignal)(int);
557
558 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
559 rdata->isfile ? "file" : "string", string_printing(rdata->string));
560
561 /* Do the expansions of the file name or data first, while still privileged. */
562
563 if (!(data = expand_string(rdata->string)))
564 {
565 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
566 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
567 expand_string_message);
568 return FF_ERROR;
569 }
570 rdata->string = data;
571
572 DEBUG(D_route)
573 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
574
575 if (rdata->isfile && data[0] != '/')
576 {
577 *error = string_sprintf("\"%s\" is not an absolute path", data);
578 return FF_ERROR;
579 }
580
581 /* If no uid/gid are supplied, or if we have a data string which does not start
582 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
583 work in this process. Note that for a system filter, we always have a file, so
584 the work is done in this process only if no user is supplied. */
585
586 if (!ugid->uid_set || /* Either there's no uid, or */
587 (!rdata->isfile && /* We've got the data, and */
588 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
589 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
590 return rda_extract(rdata, options, include_directory,
591 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
592 sieve_subaddress, generated, error, eblockp, filtertype);
593
594 /* We need to run the processing code in a sub-process. However, if we can
595 determine the non-existence of a file first, we can decline without having to
596 create the sub-process. */
597
598 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
599 return FF_NONEXIST;
600
601 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
602 we have to create the subprocess to do everything as the given user. The
603 results of processing are passed back via a pipe. */
604
605 if (pipe(pfd) != 0)
606 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
607 ":include: failed for %s: %s", rname, strerror(errno));
608
609 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
610 process can be waited for. We sometimes get here with it set otherwise. Save
611 the old state for resetting on the wait. Ensure that all cached resources are
612 freed so that the subprocess starts with a clean slate and doesn't interfere
613 with the parent process. */
614
615 oldsignal = signal(SIGCHLD, SIG_DFL);
616 search_tidyup();
617
618 if ((pid = exim_fork(US"router interpret")) == 0)
619 {
620 header_line *waslast = header_last; /* Save last header */
621
622 fd = pfd[pipe_write];
623 (void)close(pfd[pipe_read]);
624 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
625
626 /* Addresses can get rewritten in filters; if we are not root or the exim
627 user (and we probably are not), turn off rewrite logging, because we cannot
628 write to the log now. */
629
630 if (ugid->uid != root_uid && ugid->uid != exim_uid)
631 {
632 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
633 "root or exim in this process)\n");
634 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
635 }
636
637 /* Now do the business */
638
639 yield = rda_extract(rdata, options, include_directory,
640 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
641 sieve_subaddress, generated, error, eblockp, filtertype);
642
643 /* Pass back whether it was a filter, and the return code and any overall
644 error text via the pipe. */
645
646 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
647 || write(fd, &yield, sizeof(int)) != sizeof(int)
648 || rda_write_string(fd, *error) != 0
649 )
650 goto bad;
651
652 /* Pass back the contents of any syntax error blocks if we have a pointer */
653
654 if (eblockp)
655 {
656 for (error_block * ep = *eblockp; ep; ep = ep->next)
657 if ( rda_write_string(fd, ep->text1) != 0
658 || rda_write_string(fd, ep->text2) != 0
659 )
660 goto bad;
661 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
662 goto bad;
663 }
664
665 /* If this is a system filter, we have to pass back the numbers of any
666 original header lines that were removed, and then any header lines that were
667 added but not subsequently removed. */
668
669 if (f.system_filtering)
670 {
671 int i = 0;
672 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
673 if ( h->type == htype_old
674 && write(fd, &i, sizeof(i)) != sizeof(i)
675 )
676 goto bad;
677
678 i = -1;
679 if (write(fd, &i, sizeof(i)) != sizeof(i))
680 goto bad;
681
682 while (waslast != header_last)
683 {
684 waslast = waslast->next;
685 if (waslast->type != htype_old)
686 if ( rda_write_string(fd, waslast->text) != 0
687 || write(fd, &(waslast->type), sizeof(waslast->type))
688 != sizeof(waslast->type)
689 )
690 goto bad;
691 }
692 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
693 goto bad;
694 }
695
696 /* Write the contents of the $n variables */
697
698 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
699 goto bad;
700
701 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
702 addresses, and their associated information, through the pipe. This is
703 just tedious, but it seems to be the only safe way. We do this also for
704 FAIL and FREEZE, because a filter is allowed to set up deliveries that
705 are honoured before freezing or failing. */
706
707 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
708 yield == FF_FAIL || yield == FF_FREEZE)
709 {
710 for (address_item * addr = *generated; addr; addr = addr->next)
711 {
712 int reply_options = 0;
713 int ig_err = addr->prop.ignore_error ? 1 : 0;
714
715 if ( rda_write_string(fd, addr->address) != 0
716 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
717 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
718 || rda_write_string(fd, addr->prop.errors_address) != 0
719 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
720 )
721 goto bad;
722
723 if (addr->pipe_expandn)
724 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
725 if (rda_write_string(fd, *pp) != 0)
726 goto bad;
727 if (rda_write_string(fd, NULL) != 0)
728 goto bad;
729
730 if (!addr->reply)
731 {
732 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
733 goto bad;
734 }
735 else
736 {
737 reply_options |= REPLY_EXISTS;
738 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
739 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
740 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
741 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
742 != sizeof(int)
743 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
744 != sizeof(time_t)
745 || rda_write_string(fd, addr->reply->to) != 0
746 || rda_write_string(fd, addr->reply->cc) != 0
747 || rda_write_string(fd, addr->reply->bcc) != 0
748 || rda_write_string(fd, addr->reply->from) != 0
749 || rda_write_string(fd, addr->reply->reply_to) != 0
750 || rda_write_string(fd, addr->reply->subject) != 0
751 || rda_write_string(fd, addr->reply->headers) != 0
752 || rda_write_string(fd, addr->reply->text) != 0
753 || rda_write_string(fd, addr->reply->file) != 0
754 || rda_write_string(fd, addr->reply->logfile) != 0
755 || rda_write_string(fd, addr->reply->oncelog) != 0
756 )
757 goto bad;
758 }
759 }
760
761 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
762 goto bad;
763 }
764
765 /* OK, this process is now done. Free any cached resources. Must use _exit()
766 and not exit() !! */
767
768 out:
769 (void)close(fd);
770 search_tidyup();
771 exim_underbar_exit(0, US"rda");
772
773 bad:
774 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
775 goto out;
776 }
777
778 /* Back in the main process: panic if the fork did not succeed. */
779
780 if (pid < 0)
781 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
782
783 /* Read the pipe to get the data from the filter/forward. Our copy of the
784 writing end must be closed first, as otherwise read() won't return zero on an
785 empty pipe. Afterwards, close the reading end. */
786
787 (void)close(pfd[pipe_write]);
788
789 /* Read initial data, including yield and contents of *error */
790
791 fd = pfd[pipe_read];
792 if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
793 read(fd, &yield, sizeof(int)) != sizeof(int) ||
794 !rda_read_string(fd, error)) goto DISASTER;
795
796 /* Read the contents of any syntax error blocks if we have a pointer */
797
798 if (eblockp)
799 {
800 error_block *e;
801 for (error_block ** p = eblockp; ; p = &e->next)
802 {
803 uschar *s;
804 if (!rda_read_string(fd, &s)) goto DISASTER;
805 if (!s) break;
806 e = store_get(sizeof(error_block), FALSE);
807 e->next = NULL;
808 e->text1 = s;
809 if (!rda_read_string(fd, &s)) goto DISASTER;
810 e->text2 = s;
811 *p = e;
812 }
813 }
814
815 /* If this is a system filter, read the identify of any original header lines
816 that were removed, and then read data for any new ones that were added. */
817
818 if (f.system_filtering)
819 {
820 int hn = 0;
821 header_line *h = header_list;
822
823 for (;;)
824 {
825 int n;
826 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
827 if (n < 0) break;
828 while (hn < n)
829 {
830 hn++;
831 if (!(h = h->next)) goto DISASTER_NO_HEADER;
832 }
833 h->type = htype_old;
834 }
835
836 for (;;)
837 {
838 uschar *s;
839 int type;
840 if (!rda_read_string(fd, &s)) goto DISASTER;
841 if (!s) break;
842 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
843 header_add(type, "%s", s);
844 }
845 }
846
847 /* Read the values of the $n variables */
848
849 if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
850
851 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
852 addresses and data to go with them. Keep them in the same order in the
853 generated chain. */
854
855 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
856 yield == FF_FAIL || yield == FF_FREEZE)
857 {
858 address_item **nextp = generated;
859
860 for (;;)
861 {
862 int i, reply_options;
863 address_item *addr;
864 uschar *recipient;
865 uschar *expandn[EXPAND_MAXN + 2];
866
867 /* First string is the address; NULL => end of addresses */
868
869 if (!rda_read_string(fd, &recipient)) goto DISASTER;
870 if (!recipient) break;
871
872 /* Hang on the end of the chain */
873
874 addr = deliver_make_addr(recipient, FALSE);
875 *nextp = addr;
876 nextp = &(addr->next);
877
878 /* Next comes the mode and the flags fields */
879
880 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
881 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
882 || !rda_read_string(fd, &addr->prop.errors_address)
883 || read(fd, &i, sizeof(i)) != sizeof(i)
884 )
885 goto DISASTER;
886 addr->prop.ignore_error = (i != 0);
887
888 /* Next comes a possible setting for $thisaddress and any numerical
889 variables for pipe expansion, terminated by a NULL string. The maximum
890 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
891 into the zeroth item in the vector - this is sorted out inside the pipe
892 transport. */
893
894 for (i = 0; i < EXPAND_MAXN + 1; i++)
895 {
896 uschar *temp;
897 if (!rda_read_string(fd, &temp)) goto DISASTER;
898 if (i == 0) filter_thisaddress = temp; /* Just in case */
899 expandn[i] = temp;
900 if (temp == NULL) break;
901 }
902
903 if (i > 0)
904 {
905 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), FALSE);
906 addr->pipe_expandn[i] = NULL;
907 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
908 }
909
910 /* Then an int containing reply options; zero => no reply data. */
911
912 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
913 if ((reply_options & REPLY_EXISTS) != 0)
914 {
915 addr->reply = store_get(sizeof(reply_item), FALSE);
916
917 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
918 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
919
920 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
921 sizeof(int) ||
922 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
923 sizeof(time_t) ||
924 !rda_read_string(fd, &addr->reply->to) ||
925 !rda_read_string(fd, &addr->reply->cc) ||
926 !rda_read_string(fd, &addr->reply->bcc) ||
927 !rda_read_string(fd, &addr->reply->from) ||
928 !rda_read_string(fd, &addr->reply->reply_to) ||
929 !rda_read_string(fd, &addr->reply->subject) ||
930 !rda_read_string(fd, &addr->reply->headers) ||
931 !rda_read_string(fd, &addr->reply->text) ||
932 !rda_read_string(fd, &addr->reply->file) ||
933 !rda_read_string(fd, &addr->reply->logfile) ||
934 !rda_read_string(fd, &addr->reply->oncelog))
935 goto DISASTER;
936 }
937 }
938 }
939
940 /* All data has been transferred from the sub-process. Reap it, close the
941 reading end of the pipe, and we are done. */
942
943 WAIT_EXIT:
944 while ((rc = wait(&status)) != pid)
945 if (rc < 0 && errno == ECHILD) /* Process has vanished */
946 {
947 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
948 goto FINAL_EXIT;
949 }
950
951 DEBUG(D_route)
952 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
953
954 if (had_disaster)
955 {
956 *error = string_sprintf("internal problem in %s: failure to transfer "
957 "data from subprocess: status=%04x%s%s%s", rname,
958 status, readerror,
959 (*error == NULL)? US"" : US": error=",
960 (*error == NULL)? US"" : *error);
961 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
962 }
963 else if (status != 0)
964 {
965 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
966 "%04x from redirect subprocess (but data correctly received)", rname,
967 status);
968 }
969
970 FINAL_EXIT:
971 (void)close(fd);
972 signal(SIGCHLD, oldsignal); /* restore */
973 return yield;
974
975
976 /* Come here if the data indicates removal of a header that we can't find */
977
978 DISASTER_NO_HEADER:
979 readerror = US" readerror=bad header identifier";
980 had_disaster = TRUE;
981 yield = FF_ERROR;
982 goto WAIT_EXIT;
983
984 /* Come here is there's a shambles in transferring the data over the pipe. The
985 value of errno should still be set. */
986
987 DISASTER:
988 readerror = string_sprintf(" readerror='%s'", strerror(errno));
989 had_disaster = TRUE;
990 yield = FF_ERROR;
991 goto WAIT_EXIT;
992 }
993
994 /* End of rda.c */