Track tainted data and refuse to expand it

[exim.git] / src / src / spool_mbox.c

diff --git a/src/src/spool_mbox.c b/src/src/spool_mbox.c
index 4326340948f59904457e77eff8f2fdae083ac70c..caf1712cf7dde5619870e963826ed769e7b6dff5 100644 (file)
--- a/src/src/spool_mbox.c
+++ b/src/src/spool_mbox.c
@@ -4,7 +4,7 @@
 
 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
  * License: GPL
- * Copyright (c) The Exim Maintainers 2016
+ * Copyright (c) The Exim Maintainers 2016 - 2018
  */
 
 /* Code for setting up a MBOX style spool file inside a /scan/<msgid>
@@ -35,19 +35,16 @@ uschar message_subdir[2];
 uschar buffer[16384];
 uschar *temp_string;
 uschar *mbox_path;
-FILE *mbox_file = NULL;
-FILE *data_file = NULL;
-FILE *yield = NULL;
-header_line *my_headerlist;
+FILE *mbox_file = NULL, *l_data_file = NULL, *yield = NULL;
 struct stat statbuf;
-int i, j;
-void *reset_point;
+int j;
+rmark reset_point;
 
 mbox_path = string_sprintf("%s/scan/%s/%s.eml",
   spool_directory, message_id, message_id);
 if (mbox_fname) *mbox_fname = mbox_path;
 
-reset_point = store_get(0);
+reset_point = store_mark();
 
 /* Skip creation if already spooled out as mbox file */
 if (!spool_mbox_ok)
@@ -90,7 +87,7 @@ if (!spool_mbox_ok)
 
   /* write all non-deleted header lines to mbox file */
 
-  for (my_headerlist = header_list; my_headerlist;
+  for (header_line * my_headerlist = header_list; my_headerlist;
       my_headerlist = my_headerlist->next)
     if (my_headerlist->type != '*')
       if (fwrite(my_headerlist->text, my_headerlist->slen, 1, mbox_file) != 1)
@@ -108,21 +105,25 @@ if (!spool_mbox_ok)
     goto OUT;
     }
 
-  /* copy body file */
-  if (!source_file_override)
+  /* Copy body file.  If the main receive still has it open then it is holding
+  a lock, and we must not close it (which releases the lock), so just use the
+  global file handle. */
+  if (source_file_override)
+    l_data_file = Ufopen(source_file_override, "rb");
+  else if (spool_data_file)
+    l_data_file = spool_data_file;
+  else
     {
     message_subdir[1] = '\0';
-    for (i = 0; i < 2; i++)
+    for (int i = 0; i < 2; i++)
       {
       message_subdir[0] = split_spool_directory == (i == 0) ? message_id[5] : 0;
       temp_string = spool_fname(US"input", message_subdir, message_id, US"-D");
-      if ((data_file = Ufopen(temp_string, "rb"))) break;
+      if ((l_data_file = Ufopen(temp_string, "rb"))) break;
       }
     }
-  else
-    data_file = Ufopen(source_file_override, "rb");
 
-  if (!data_file)
+  if (!l_data_file)
     {
     log_write(0, LOG_MAIN|LOG_PANIC, "Could not open datafile for message %s",
       message_id);
@@ -131,31 +132,31 @@ if (!spool_mbox_ok)
 
   /* The code used to use this line, but it doesn't work in Cygwin.
 
-      (void)fread(data_buffer, 1, 18, data_file);
-    
+      (void)fread(data_buffer, 1, 18, l_data_file);
+
      What's happening is that spool_mbox used to use an fread to jump over the
      file header. That fails under Cygwin because the header is locked, but
      doing an fseek succeeds. We have to output the leading newline
      explicitly, because the one in the file is parted of the locked area.  */
 
   if (!source_file_override)
-    (void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
+    (void)fseek(l_data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
 
   do
     {
     uschar * s;
 
-    if (!spool_file_wireformat || source_file_override)
-      j = fread(buffer, 1, sizeof(buffer), data_file);
+    if (!f.spool_file_wireformat || source_file_override)
+      j = fread(buffer, 1, sizeof(buffer), l_data_file);
     else                                               /* needs CRLF -> NL */
-      if ((s = US fgets(CS buffer, sizeof(buffer), data_file)))
+      if ((s = US fgets(CS buffer, sizeof(buffer), l_data_file)))
        {
        uschar * p = s + Ustrlen(s) - 1;
 
        if (*p == '\n' && p[-1] == '\r')
          *--p = '\n';
        else if (*p == '\r')
-         ungetc(*p--, data_file);
+         ungetc(*p--, l_data_file);
 
        j = p - buffer;
        }
@@ -190,7 +191,7 @@ else
   *mbox_file_size = statbuf.st_size;
 
 OUT:
-if (data_file) (void)fclose(data_file);
+if (l_data_file && !spool_data_file) (void)fclose(l_data_file);
 if (mbox_file) (void)fclose(mbox_file);
 store_reset(reset_point);
 return yield;
@@ -207,14 +208,13 @@ unspool_mbox(void)
 spam_ok = 0;
 malware_ok = 0;
 
-if (spool_mbox_ok && !no_mbox_unspool)
+if (spool_mbox_ok && !f.no_mbox_unspool)
   {
-  uschar *mbox_path;
   uschar *file_path;
   struct dirent *entry;
   DIR *tempdir;
-
-  mbox_path = string_sprintf("%s/scan/%s", spool_directory, spooled_message_id);
+  rmark reset_point = store_mark();
+  uschar * mbox_path = string_sprintf("%s/scan/%s", spool_directory, spooled_message_id);
 
   if (!(tempdir = opendir(CS mbox_path)))
     {
@@ -239,7 +239,7 @@ if (spool_mbox_ok && !no_mbox_unspool)
 
   /* remove directory */
   rmdir(CS mbox_path);
-  store_reset(mbox_path);
+  store_reset(reset_point);
   }
 spool_mbox_ok = 0;
 }