autoreply transport: taint-enfoce options

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 33381d5583258e8ce1b0590a1fad1536adb989f9..368d37ec1e16e2487bffa3c760518cc309da47ac 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -90,6 +90,7 @@ JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
 JH/20 Taint checking: disallow use of tainted data for
       - the appendfile transport file and directory options
       - the pipe transport command
 JH/20 Taint checking: disallow use of tainted data for
       - the appendfile transport file and directory options
       - the pipe transport command

+      - the autoreply transport file, log and once options

       - file names used by the redirect router (including filter files)
       Previously this was permitted.
 
       - file names used by the redirect router (including filter files)
       Previously this was permitted.
 

diff --git a/src/src/transports/autoreply.c b/src/src/transports/autoreply.c
index 68f8d1f583da8d878bd689cbc6f2700ceb9ce850..666591b6029cc79645156659e5761465e64b5c9d 100644 (file)
--- a/src/src/transports/autoreply.c
+++ b/src/src/transports/autoreply.c
@@ -156,7 +156,7 @@ checkexpand(uschar *s, address_item *addr, uschar *name, int type)
 {
 uschar *ss = expand_string(s);
 
 {
 uschar *ss = expand_string(s);
 

-if (ss == NULL)
+if (!ss)

   {
   addr->transport_return = FAIL;
   addr->message = string_sprintf("Expansion of \"%s\" failed in %s transport: "
   {
   addr->transport_return = FAIL;
   addr->message = string_sprintf("Expansion of \"%s\" failed in %s transport: "


@@ -307,7 +307,7 @@ from that block. It has typically been set up by a mail filter processing
 router. Otherwise, the data must be supplied by this transport, and
 it has to be expanded here. */
 
 router. Otherwise, the data must be supplied by this transport, and
 it has to be expanded here. */
 

-if (addr->reply != NULL)
+if (addr->reply)

   {
   DEBUG(D_transport) debug_printf("taking data from address\n");
   from = addr->reply->from;
   {
   DEBUG(D_transport) debug_printf("taking data from address\n");
   from = addr->reply->from;


@@ -418,18 +418,27 @@ recipient, the effect might not be quite as envisaged. If once_file_size is
 set, instead of a dbm file, we use a regular file containing a circular buffer
 recipient cache. */
 
 set, instead of a dbm file, we use a regular file containing a circular buffer
 recipient cache. */
 

-if (oncelog && *oncelog != 0 && to)
+if (oncelog && *oncelog && to)

   {
   time_t then = 0;
 
   {
   time_t then = 0;
 

+  if (is_tainted(oncelog))
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = EACCES;
+    addr->message = string_sprintf("Tainted '%s' (once file for %s transport)"
+      " not permitted", oncelog, tblock->name);
+    goto END_OFF;
+    }
+

   /* Handle fixed-size cache file. */
 
   if (ob->once_file_size > 0)
     {
     uschar * nextp;
     struct stat statbuf;
   /* Handle fixed-size cache file. */
 
   if (ob->once_file_size > 0)
     {
     uschar * nextp;
     struct stat statbuf;

-    cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);

 
 

+    cache_fd = Uopen(oncelog, O_CREAT|O_RDWR, ob->mode);

     if (cache_fd < 0 || fstat(cache_fd, &statbuf) != 0)
       {
       addr->transport_return = DEFER;
     if (cache_fd < 0 || fstat(cache_fd, &statbuf) != 0)
       {
       addr->transport_return = DEFER;


@@ -523,6 +532,15 @@ if (oncelog && *oncelog != 0 && to)
   if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
     {
     int log_fd;
   if (then != 0 && (once_repeat_sec <= 0 || now - then < once_repeat_sec))
     {
     int log_fd;

+    if (is_tainted(logfile))
+      {
+      addr->transport_return = DEFER;
+      addr->basic_errno = EACCES;
+      addr->message = string_sprintf("Tainted '%s' (logfile for %s transport)"
+       " not permitted", logfile, tblock->name);
+      goto END_OFF;
+      }
+

     DEBUG(D_transport) debug_printf("message previously sent to %s%s\n", to,
       (once_repeat_sec > 0)? " and repeat time not reached" : "");
     log_fd = logfile ? Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode) : -1;
     DEBUG(D_transport) debug_printf("message previously sent to %s%s\n", to,
       (once_repeat_sec > 0)? " and repeat time not reached" : "");
     log_fd = logfile ? Uopen(logfile, O_WRONLY|O_APPEND|O_CREAT, ob->mode) : -1;


@@ -544,14 +562,24 @@ if (oncelog && *oncelog != 0 && to)
   }
 
 /* We are going to send a message. Ensure any requested file is available. */
   }
 
 /* We are going to send a message. Ensure any requested file is available. */

-
-if (file && !(ff = Ufopen(file, "rb")) && !ob->file_optional)
+if (file)

   {
   {

-  addr->transport_return = DEFER;
-  addr->basic_errno = errno;
-  addr->message = string_sprintf("Failed to open file %s when sending "
-    "message from %s transport: %s", file, tblock->name, strerror(errno));
-  return FALSE;
+  if (is_tainted(file))
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = EACCES;
+    addr->message = string_sprintf("Tainted '%s' (file for %s transport)"
+      " not permitted", file, tblock->name);
+    return FALSE;
+    }
+  if (!(ff = Ufopen(file, "rb")) && !ob->file_optional)
+    {
+    addr->transport_return = DEFER;
+    addr->basic_errno = errno;
+    addr->message = string_sprintf("Failed to open file %s when sending "
+      "message from %s transport: %s", file, tblock->name, strerror(errno));
+    return FALSE;
+    }

   }
 
 /* Make a subprocess to send the message */
   }
 
 /* Make a subprocess to send the message */

diff --git a/test/confs/0243 b/test/confs/0243
index 5a2f50136e57939b4bb6039dc15756b7d06eb110..d5e989c5bf99e0ea65546f3f92a03b2ff42e9edf 100644 (file)
--- a/test/confs/0243
+++ b/test/confs/0243
@@ -71,7 +71,7 @@ address_pipe:
 
 stuur_auto_antwoord:
   driver = autoreply
 
 stuur_auto_antwoord:
   driver = autoreply

-  file = DIR/aux-fixed/TESTNUM.antwoord-${local_part}
+  file = DIR/aux-fixed/TESTNUM.antwoord-${bless:$local_part}

   file_expand
   from = "${lookup{$local_part} lsearch \
            {DIR/aux-fixed/TESTNUM.beantwoorders} {$value}}"
   file_expand
   from = "${lookup{$local_part} lsearch \
            {DIR/aux-fixed/TESTNUM.beantwoorders} {$value}}"