HCoop / hcoop / debian / exim4.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Import Upstream version 4.92
[hcoop/debian/exim4.git] / src / rda.c
CommitLineData
420a0d19
CE		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
2ea97746 5/* Copyright (c) University of Cambridge 1995 - 2018 */
420a0d19
CE		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module contains code for extracting addresses from a forwarding list
9(from an alias or forward file) or by running the filter interpreter. It may do
10this in a sub-process if a uid/gid are supplied. */
11
12
13#include "exim.h"
14
15enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
16
17#define REPLY_EXISTS 0x01
18#define REPLY_EXPAND 0x02
19#define REPLY_RETURN 0x04
20
21
22/*************************************************
23* Check string for filter program *
24*************************************************/
25
26/* This function checks whether a string is actually a filter program. The rule
27is that it must start with "# Exim filter ..." (any capitalization, spaces
28optional). It is envisaged that in future, other kinds of filter may be
29implemented. That's why it is implemented the way it is. The function is global
30because it is also called from filter.c when checking filters.
31
32Argument: the string
33
34Returns: FILTER_EXIM if it starts with "# Exim filter"
35 FILTER_SIEVE if it starts with "# Sieve filter"
36 FILTER_FORWARD otherwise
37*/
38
39/* This is an auxiliary function for matching a tag. */
40
41static BOOL
42match_tag(const uschar *s, const uschar *tag)
43{
44for (; *tag != 0; s++, tag++)
45 {
46 if (*tag == ' ')
47 {
48 while (*s == ' ' || *s == '\t') s++;
49 s--;
50 }
51 else if (tolower(*s) != tolower(*tag)) break;
52 }
53return (*tag == 0);
54}
55
56/* This is the real function. It should be easy to add checking different
57tags for other types of filter. */
58
59int
60rda_is_filter(const uschar *s)
61{
62while (isspace(*s)) s++; /* Skips initial blank lines */
63if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
64 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
65 else return FILTER_FORWARD;
66}
67
68
69
70
71/*************************************************
72* Check for existence of file *
73*************************************************/
74
75/* First of all, we stat the file. If this fails, we try to stat the enclosing
76directory, because a file in an unmounted NFS directory will look the same as a
77non-existent file. It seems that in Solaris 2.6, statting an entry in an
78indirect map that is currently unmounted does not cause the mount to happen.
79Instead, dummy data is returned, which defeats the whole point of this test.
80However, if a stat() is done on some object inside the directory, such as the
81"." back reference to itself, then the mount does occur. If an NFS host is
82taken offline, it is possible for the stat() to get stuck until it comes back.
83To guard against this, stick a timer round it. If we can't access the "."
84inside the directory, try the plain directory, just in case that helps.
85
86Argument:
87 filename the file name
88 error for message on error
89
90Returns: FILE_EXIST the file exists
91 FILE_NOT_EXIST the file does not exist
92 FILE_EXIST_UNCLEAR cannot determine existence
93*/
94
95static int
96rda_exists(uschar *filename, uschar **error)
97{
98int rc, saved_errno;
99uschar *slash;
100struct stat statbuf;
101
102if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
103saved_errno = errno;
104
105Ustrncpy(big_buffer, filename, big_buffer_size - 3);
106sigalrm_seen = FALSE;
107
108if (saved_errno == ENOENT)
109 {
110 slash = Ustrrchr(big_buffer, '/');
111 Ustrcpy(slash+1, ".");
112
2ea97746 113 ALARM(30);
420a0d19
CE		 114 rc = Ustat(big_buffer, &statbuf);
115 if (rc != 0 && errno == EACCES && !sigalrm_seen)
116 {
117 *slash = 0;
118 rc = Ustat(big_buffer, &statbuf);
119 }
120 saved_errno = errno;
2ea97746 121 ALARM_CLR(0);
420a0d19
CE		 122
123 DEBUG(D_route) debug_printf("stat(%s)=%d\n", big_buffer, rc);
124 }
125
126if (sigalrm_seen || rc != 0)
127 {
128 *error = string_sprintf("failed to stat %s (%s)", big_buffer,
129 sigalrm_seen? "timeout" : strerror(saved_errno));
130 return FILE_EXIST_UNCLEAR;
131 }
132
133*error = string_sprintf("%s does not exist", filename);
134DEBUG(D_route) debug_printf("%s\n", *error);
135return FILE_NOT_EXIST;
136}
137
138
139
140/*************************************************
141* Get forwarding list from a file *
142*************************************************/
143
144/* Open a file and read its entire contents into a block of memory. Certain
145opening errors are optionally treated the same as "file does not exist".
146
147ENOTDIR means that something along the line is not a directory: there are
148installations that set home directories to be /dev/null for non-login accounts
149but in normal circumstances this indicates some kind of configuration error.
150
151EACCES means there's a permissions failure. Some users turn off read permission
152on a .forward file to suspend forwarding, but this is probably an error in any
153kind of mailing list processing.
154
155The redirect block that contains the file name also contains constraints such
156as who may own the file, and mode bits that must not be set. This function is
157
158Arguments:
159 rdata rdirect block, containing file name and constraints
160 options for the RDO_ENOTDIR and RDO_EACCES options
161 error where to put an error message
162 yield what to return from rda_interpret on error
163
164Returns: pointer to string in store; NULL on error
165*/
166
167static uschar *
168rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
169 int *yield)
170{
171FILE *fwd;
172uschar *filebuf;
173uschar *filename = rdata->string;
174BOOL uid_ok = !rdata->check_owner;
175BOOL gid_ok = !rdata->check_group;
176struct stat statbuf;
177
178/* Attempt to open the file. If it appears not to exist, check up on the
179containing directory by statting it. If the directory does not exist, we treat
180this situation as an error (which will cause delivery to defer); otherwise we
181pass back FF_NONEXIST, which causes the redirect router to decline.
182
183However, if the ignore_enotdir option is set (to ignore "something on the
184path is not a directory" errors), the right behaviour seems to be not to do the
185directory test. */
186
187fwd = Ufopen(filename, "rb");
188if (fwd == NULL)
189 {
190 switch(errno)
191 {
192 case ENOENT: /* File does not exist */
193 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
194 filename,
195 ((options & RDO_ENOTDIR) != 0)? "ignore_enotdir set => skip " : "");
196 *yield = (((options & RDO_ENOTDIR) != 0) ||
197 rda_exists(filename, error) == FILE_NOT_EXIST)?
198 FF_NONEXIST : FF_ERROR;
199 return NULL;
200
201 case ENOTDIR: /* Something on the path isn't a directory */
202 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
203 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
204 "exist\n", filename);
205 *yield = FF_NONEXIST;
206 return NULL;
207
208 case EACCES: /* Permission denied */
209 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
210 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
211 "exist\n", filename);
212 *yield = FF_NONEXIST;
213 return NULL;
214
215 DEFAULT_ERROR:
216 default:
217 *error = string_open_failed(errno, "%s", filename);
218 *yield = FF_ERROR;
219 return NULL;
220 }
221 }
222
223/* Check that we have a regular file. */
224
225if (fstat(fileno(fwd), &statbuf) != 0)
226 {
227 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
228 goto ERROR_RETURN;
229 }
230
231if ((statbuf.st_mode & S_IFMT) != S_IFREG)
232 {
233 *error = string_sprintf("%s is not a regular file", filename);
234 goto ERROR_RETURN;
235 }
236
237/* Check for unwanted mode bits */
238
239if ((statbuf.st_mode & rdata->modemask) != 0)
240 {
241 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
242 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
243 goto ERROR_RETURN;
244 }
245
246/* Check the file owner and file group if required to do so. */
247
248if (!uid_ok)
249 {
250 if (rdata->pw != NULL && statbuf.st_uid == rdata->pw->pw_uid)
251 uid_ok = TRUE;
252 else if (rdata->owners != NULL)
253 {
254 int i;
255 for (i = 1; i <= (int)(rdata->owners[0]); i++)
256 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
257 }
258 }
259
260if (!gid_ok)
261 {
262 if (rdata->pw != NULL && statbuf.st_gid == rdata->pw->pw_gid)
263 gid_ok = TRUE;
264 else if (rdata->owngroups != NULL)
265 {
266 int i;
267 for (i = 1; i <= (int)(rdata->owngroups[0]); i++)
268 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
269 }
270 }
271
272if (!uid_ok || !gid_ok)
273 {
274 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
275 goto ERROR_RETURN;
276 }
277
278/* Put an upper limit on the size of the file, just to stop silly people
279feeding in ridiculously large files, which can easily be created by making
280files that have holes in them. */
281
282if (statbuf.st_size > MAX_FILTER_SIZE)
283 {
284 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
285 goto ERROR_RETURN;
286 }
287
288/* Read the file in one go in order to minimize the time we have it open. */
289
290filebuf = store_get(statbuf.st_size + 1);
291
292if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
293 {
294 *error = string_sprintf("error while reading %s: %s",
295 filename, strerror(errno));
296 goto ERROR_RETURN;
297 }
298filebuf[statbuf.st_size] = 0;
299
300DEBUG(D_route)
301 debug_printf(OFF_T_FMT " bytes read from %s\n", statbuf.st_size, filename);
302
303(void)fclose(fwd);
304return filebuf;
305
306/* Return an error: the string is already set up. */
307
308ERROR_RETURN:
309*yield = FF_ERROR;
310(void)fclose(fwd);
311return NULL;
312}
313
314
315
316/*************************************************
317* Extract info from list or filter *
318*************************************************/
319
320/* This function calls the appropriate function to extract addresses from a
321forwarding list, or to run a filter file and get addresses from there.
322
323Arguments:
324 rdata the redirection block
325 options the options bits
326 include_directory restrain to this directory
327 sieve_vacation_directory passed to sieve_interpret
328 sieve_enotify_mailto_owner passed to sieve_interpret
329 sieve_useraddress passed to sieve_interpret
330 sieve_subaddress passed to sieve_interpret
331 generated where to hang generated addresses
332 error for error messages
333 eblockp for details of skipped syntax errors
334 (NULL => no skip)
335 filtertype set to the filter type:
336 FILTER_FORWARD => a traditional .forward file
337 FILTER_EXIM => an Exim filter file
338 FILTER_SIEVE => a Sieve filter file
339 a system filter is always forced to be FILTER_EXIM
340
341Returns: a suitable return for rda_interpret()
342*/
343
344static int
345rda_extract(redirect_block *rdata, int options, uschar *include_directory,
346 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
347 uschar *sieve_useraddress, uschar *sieve_subaddress,
348 address_item **generated, uschar **error, error_block **eblockp,
349 int *filtertype)
350{
351uschar *data;
352
353if (rdata->isfile)
354 {
355 int yield = 0;
356 data = rda_get_file_contents(rdata, options, error, &yield);
357 if (data == NULL) return yield;
358 }
359else data = rdata->string;
360
2ea97746 361*filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
420a0d19
CE		 362
363/* Filter interpretation is done by a general function that is also called from
364the filter testing option (-bf). There are two versions: one for Exim filtering
365and one for Sieve filtering. Several features of string expansion may be locked
366out at sites that don't trust users. This is done by setting flags in
367expand_forbid that the expander inspects. */
368
369if (*filtertype != FILTER_FORWARD)
370 {
371 int frc;
372 int old_expand_forbid = expand_forbid;
373
374 DEBUG(D_route) debug_printf("data is %s filter program\n",
375 (*filtertype == FILTER_EXIM)? "an Exim" : "a Sieve");
376
377 /* RDO_FILTER is an "allow" bit */
378
379 if ((options & RDO_FILTER) == 0)
380 {
381 *error = US"filtering not enabled";
382 return FF_ERROR;
383 }
384
385 expand_forbid =
386 (expand_forbid & ~RDO_FILTER_EXPANSIONS) |
387 (options & RDO_FILTER_EXPANSIONS);
388
389 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
390
391 if (*filtertype == FILTER_EXIM)
392 {
393 if ((options & RDO_EXIM_FILTER) != 0)
394 {
395 *error = US"Exim filtering not enabled";
396 return FF_ERROR;
397 }
398 frc = filter_interpret(data, options, generated, error);
399 }
400 else
401 {
402 if ((options & RDO_SIEVE_FILTER) != 0)
403 {
404 *error = US"Sieve filtering not enabled";
405 return FF_ERROR;
406 }
407 frc = sieve_interpret(data, options, sieve_vacation_directory,
408 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
409 generated, error);
410 }
411
412 expand_forbid = old_expand_forbid;
413 return frc;
414 }
415
416/* Not a filter script */
417
418DEBUG(D_route) debug_printf("file is not a filter file\n");
419
420return parse_forward_list(data,
421 options, /* specials that are allowed */
422 generated, /* where to hang them */
423 error, /* for errors */
424 deliver_domain, /* to qualify \name */
425 include_directory, /* restrain to directory */
426 eblockp); /* for skipped syntax errors */
427}
428
429
430
431
432/*************************************************
433* Write string down pipe *
434*************************************************/
435
436/* This function is used for transferring a string down a pipe between
437processes. If the pointer is NULL, a length of zero is written.
438
439Arguments:
440 fd the pipe
441 s the string
442
443Returns: -1 on error, else 0
444*/
445
446static int
2ea97746 447rda_write_string(int fd, const uschar *s)
420a0d19
CE		 448{
449int len = (s == NULL)? 0 : Ustrlen(s) + 1;
450return ( write(fd, &len, sizeof(int)) != sizeof(int)
451 || (s != NULL && write(fd, s, len) != len)
452 )
453 ? -1 : 0;
454}
455
456
457
458/*************************************************
459* Read string from pipe *
460*************************************************/
461
462/* This function is used for receiving a string from a pipe.
463
464Arguments:
465 fd the pipe
466 sp where to put the string
467
468Returns: FALSE if data missing
469*/
470
471static BOOL
472rda_read_string(int fd, uschar **sp)
473{
474int len;
475
476if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
2ea97746
CE		 477if (len == 0)
478 *sp = NULL;
479else
480 /* We know we have enough memory so disable the error on "len" */
481 /* coverity[tainted_data] */
482 if (read(fd, *sp = store_get(len), len) != len) return FALSE;
420a0d19
CE		 483return TRUE;
484}
485
486
487
488/*************************************************
489* Interpret forward list or filter *
490*************************************************/
491
492/* This function is passed a forward list string (unexpanded) or the name of a
493file (unexpanded) whose contents are the forwarding list. The list may in fact
494be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
2ea97746 495types of filter, with different initial tag strings, may be introduced in due
420a0d19
CE		 496course.
497
498The job of the function is to process the forwarding list or filter. It is
499pulled out into this separate function, because it is used for system filter
500files as well as from the redirect router.
501
502If the function is given a uid/gid, it runs a subprocess that passes the
503results back via a pipe. This provides security for things like :include:s in
504users' .forward files, and "logwrite" calls in users' filter files. A
505sub-process is NOT used when:
506
507 . No uid/gid is provided
508 . The input is a string which is not a filter string, and does not contain
509 :include:
510 . The input is a file whose non-existence can be detected in the main
511 process (which is usually running as root).
512
513Arguments:
514 rdata redirect data (file + constraints, or data string)
515 options options to pass to the extraction functions,
516 plus ENOTDIR and EACCES handling bits
517 include_directory restrain :include: to this directory
518 sieve_vacation_directory directory passed to sieve_interpret
519 sieve_enotify_mailto_owner passed to sieve_interpret
520 sieve_useraddress passed to sieve_interpret
521 sieve_subaddress passed to sieve_interpret
522 ugid uid/gid to run under - if NULL, no change
523 generated where to hang generated addresses, initially NULL
524 error pointer for error message
525 eblockp for skipped syntax errors; NULL if no skipping
526 filtertype set to the type of file:
527 FILTER_FORWARD => traditional .forward file
528 FILTER_EXIM => an Exim filter file
529 FILTER_SIEVE => a Sieve filter file
530 a system filter is always forced to be FILTER_EXIM
531 rname router name for error messages in the format
532 "xxx router" or "system filter"
533
534Returns: values from extraction function, or FF_NONEXIST:
535 FF_DELIVERED success, a significant action was taken
536 FF_NOTDELIVERED success, no significant action
537 FF_BLACKHOLE :blackhole:
538 FF_DEFER defer requested
539 FF_FAIL fail requested
540 FF_INCLUDEFAIL some problem with :include:
541 FF_FREEZE freeze requested
542 FF_ERROR there was a problem
543 FF_NONEXIST the file does not exist
544*/
545
546int
547rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
548 uschar *sieve_vacation_directory, uschar *sieve_enotify_mailto_owner,
549 uschar *sieve_useraddress, uschar *sieve_subaddress, ugid_block *ugid,
550 address_item **generated, uschar **error, error_block **eblockp,
551 int *filtertype, uschar *rname)
552{
553int fd, rc, pfd[2];
554int yield, status;
555BOOL had_disaster = FALSE;
556pid_t pid;
557uschar *data;
558uschar *readerror = US"";
559void (*oldsignal)(int);
560
561DEBUG(D_route) debug_printf("rda_interpret (%s): %s\n",
562 (rdata->isfile)? "file" : "string", rdata->string);
563
564/* Do the expansions of the file name or data first, while still privileged. */
565
566data = expand_string(rdata->string);
567if (data == NULL)
568 {
2ea97746 569 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
420a0d19
CE		 570 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
571 expand_string_message);
572 return FF_ERROR;
573 }
574rdata->string = data;
575
576DEBUG(D_route) debug_printf("expanded: %s\n", data);
577
578if (rdata->isfile && data[0] != '/')
579 {
580 *error = string_sprintf("\"%s\" is not an absolute path", data);
581 return FF_ERROR;
582 }
583
584/* If no uid/gid are supplied, or if we have a data string which does not start
585with #Exim filter or #Sieve filter, and does not contain :include:, do all the
586work in this process. Note that for a system filter, we always have a file, so
587the work is done in this process only if no user is supplied. */
588
589if (!ugid->uid_set || /* Either there's no uid, or */
590 (!rdata->isfile && /* We've got the data, and */
591 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
592 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
593 {
594 return rda_extract(rdata, options, include_directory,
595 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
596 sieve_subaddress, generated, error, eblockp, filtertype);
597 }
598
599/* We need to run the processing code in a sub-process. However, if we can
600determine the non-existence of a file first, we can decline without having to
601create the sub-process. */
602
603if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
604 return FF_NONEXIST;
605
606/* If the file does exist, or we can't tell (non-root mounted NFS directory)
607we have to create the subprocess to do everything as the given user. The
608results of processing are passed back via a pipe. */
609
610if (pipe(pfd) != 0)
611 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
612 ":include: failed for %s: %s", rname, strerror(errno));
613
614/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
615process can be waited for. We sometimes get here with it set otherwise. Save
616the old state for resetting on the wait. Ensure that all cached resources are
617freed so that the subprocess starts with a clean slate and doesn't interfere
618with the parent process. */
619
620oldsignal = signal(SIGCHLD, SIG_DFL);
621search_tidyup();
622
623if ((pid = fork()) == 0)
624 {
625 header_line *waslast = header_last; /* Save last header */
626
627 fd = pfd[pipe_write];
628 (void)close(pfd[pipe_read]);
629 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
630
631 /* Addresses can get rewritten in filters; if we are not root or the exim
632 user (and we probably are not), turn off rewrite logging, because we cannot
633 write to the log now. */
634
635 if (ugid->uid != root_uid && ugid->uid != exim_uid)
636 {
637 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
638 "root or exim in this process)\n");
2ea97746 639 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
420a0d19
CE		 640 }
641
642 /* Now do the business */
643
644 yield = rda_extract(rdata, options, include_directory,
645 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
646 sieve_subaddress, generated, error, eblockp, filtertype);
647
648 /* Pass back whether it was a filter, and the return code and any overall
649 error text via the pipe. */
650
651 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
652 || write(fd, &yield, sizeof(int)) != sizeof(int)
653 || rda_write_string(fd, *error) != 0
654 )
655 goto bad;
656
657 /* Pass back the contents of any syntax error blocks if we have a pointer */
658
659 if (eblockp != NULL)
660 {
661 error_block *ep;
662 for (ep = *eblockp; ep != NULL; ep = ep->next)
663 if ( rda_write_string(fd, ep->text1) != 0
664 || rda_write_string(fd, ep->text2) != 0
665 )
666 goto bad;
667 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
668 goto bad;
669 }
670
671 /* If this is a system filter, we have to pass back the numbers of any
672 original header lines that were removed, and then any header lines that were
673 added but not subsequently removed. */
674
2ea97746 675 if (f.system_filtering)
420a0d19
CE		 676 {
677 int i = 0;
678 header_line *h;
679 for (h = header_list; h != waslast->next; i++, h = h->next)
680 if ( h->type == htype_old
681 && write(fd, &i, sizeof(i)) != sizeof(i)
682 )
683 goto bad;
684
685 i = -1;
686 if (write(fd, &i, sizeof(i)) != sizeof(i))
687 goto bad;
688
689 while (waslast != header_last)
690 {
691 waslast = waslast->next;
692 if (waslast->type != htype_old)
693 if ( rda_write_string(fd, waslast->text) != 0
694 || write(fd, &(waslast->type), sizeof(waslast->type))
695 != sizeof(waslast->type)
696 )
697 goto bad;
698 }
699 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
700 goto bad;
701 }
702
703 /* Write the contents of the $n variables */
704
705 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
706 goto bad;
707
708 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
709 addresses, and their associated information, through the pipe. This is
710 just tedious, but it seems to be the only safe way. We do this also for
711 FAIL and FREEZE, because a filter is allowed to set up deliveries that
712 are honoured before freezing or failing. */
713
714 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
715 yield == FF_FAIL || yield == FF_FREEZE)
716 {
717 address_item *addr;
2ea97746 718 for (addr = *generated; addr; addr = addr->next)
420a0d19
CE		 719 {
720 int reply_options = 0;
2ea97746 721 int ig_err = addr->prop.ignore_error ? 1 : 0;
420a0d19
CE		 722
723 if ( rda_write_string(fd, addr->address) != 0
2ea97746
CE		 724 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
725 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
726 || rda_write_string(fd, addr->prop.errors_address) != 0
727 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
420a0d19
CE		 728 )
729 goto bad;
730
2ea97746 731 if (addr->pipe_expandn)
420a0d19
CE		 732 {
733 uschar **pp;
2ea97746 734 for (pp = addr->pipe_expandn; *pp; pp++)
420a0d19
CE		 735 if (rda_write_string(fd, *pp) != 0)
736 goto bad;
737 }
738 if (rda_write_string(fd, NULL) != 0)
739 goto bad;
740
2ea97746 741 if (!addr->reply)
420a0d19
CE		 742 {
743 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
744 goto bad;
745 }
746 else
747 {
748 reply_options |= REPLY_EXISTS;
749 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
750 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
751 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
752 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
753 != sizeof(int)
754 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
755 != sizeof(time_t)
756 || rda_write_string(fd, addr->reply->to) != 0
757 || rda_write_string(fd, addr->reply->cc) != 0
758 || rda_write_string(fd, addr->reply->bcc) != 0
759 || rda_write_string(fd, addr->reply->from) != 0
760 || rda_write_string(fd, addr->reply->reply_to) != 0
761 || rda_write_string(fd, addr->reply->subject) != 0
762 || rda_write_string(fd, addr->reply->headers) != 0
763 || rda_write_string(fd, addr->reply->text) != 0
764 || rda_write_string(fd, addr->reply->file) != 0
765 || rda_write_string(fd, addr->reply->logfile) != 0
766 || rda_write_string(fd, addr->reply->oncelog) != 0
767 )
768 goto bad;
769 }
770 }
771
772 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
773 goto bad;
774 }
775
776 /* OK, this process is now done. Free any cached resources. Must use _exit()
777 and not exit() !! */
778
779out:
780 (void)close(fd);
781 search_tidyup();
782 _exit(0);
783
784bad:
785 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
786 goto out;
787 }
788
789/* Back in the main process: panic if the fork did not succeed. */
790
791if (pid < 0)
792 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
793
794/* Read the pipe to get the data from the filter/forward. Our copy of the
795writing end must be closed first, as otherwise read() won't return zero on an
796empty pipe. Afterwards, close the reading end. */
797
798(void)close(pfd[pipe_write]);
799
800/* Read initial data, including yield and contents of *error */
801
802fd = pfd[pipe_read];
803if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
804 read(fd, &yield, sizeof(int)) != sizeof(int) ||
805 !rda_read_string(fd, error)) goto DISASTER;
806
807/* Read the contents of any syntax error blocks if we have a pointer */
808
2ea97746 809if (eblockp)
420a0d19 810 {
420a0d19 811 error_block *e;
2ea97746
CE		 812 error_block **p;
813 for (p = eblockp; ; p = &e->next)
420a0d19 814 {
2ea97746 815 uschar *s;
420a0d19 816 if (!rda_read_string(fd, &s)) goto DISASTER;
2ea97746 817 if (!s) break;
420a0d19
CE		 818 e = store_get(sizeof(error_block));
819 e->next = NULL;
820 e->text1 = s;
821 if (!rda_read_string(fd, &s)) goto DISASTER;
822 e->text2 = s;
823 *p = e;
420a0d19
CE		 824 }
825 }
826
827/* If this is a system filter, read the identify of any original header lines
828that were removed, and then read data for any new ones that were added. */
829
2ea97746 830if (f.system_filtering)
420a0d19
CE		 831 {
832 int hn = 0;
833 header_line *h = header_list;
834
835 for (;;)
836 {
837 int n;
838 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
839 if (n < 0) break;
840 while (hn < n)
841 {
842 hn++;
2ea97746 843 if (!(h = h->next)) goto DISASTER_NO_HEADER;
420a0d19
CE		 844 }
845 h->type = htype_old;
846 }
847
848 for (;;)
849 {
850 uschar *s;
851 int type;
852 if (!rda_read_string(fd, &s)) goto DISASTER;
2ea97746 853 if (!s) break;
420a0d19
CE		 854 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
855 header_add(type, "%s", s);
856 }
857 }
858
859/* Read the values of the $n variables */
860
861if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
862
863/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
864addresses and data to go with them. Keep them in the same order in the
865generated chain. */
866
867if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
868 yield == FF_FAIL || yield == FF_FREEZE)
869 {
870 address_item **nextp = generated;
871
872 for (;;)
873 {
874 int i, reply_options;
875 address_item *addr;
876 uschar *recipient;
877 uschar *expandn[EXPAND_MAXN + 2];
878
879 /* First string is the address; NULL => end of addresses */
880
881 if (!rda_read_string(fd, &recipient)) goto DISASTER;
882 if (recipient == NULL) break;
883
884 /* Hang on the end of the chain */
885
886 addr = deliver_make_addr(recipient, FALSE);
887 *nextp = addr;
888 nextp = &(addr->next);
889
890 /* Next comes the mode and the flags fields */
891
2ea97746
CE		 892 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
893 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
894 || !rda_read_string(fd, &addr->prop.errors_address)
895 || read(fd, &i, sizeof(i)) != sizeof(i)
896 )
897 goto DISASTER;
898 addr->prop.ignore_error = (i != 0);
420a0d19
CE		 899
900 /* Next comes a possible setting for $thisaddress and any numerical
901 variables for pipe expansion, terminated by a NULL string. The maximum
902 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
903 into the zeroth item in the vector - this is sorted out inside the pipe
904 transport. */
905
906 for (i = 0; i < EXPAND_MAXN + 1; i++)
907 {
908 uschar *temp;
909 if (!rda_read_string(fd, &temp)) goto DISASTER;
910 if (i == 0) filter_thisaddress = temp; /* Just in case */
911 expandn[i] = temp;
912 if (temp == NULL) break;
913 }
914
915 if (i > 0)
916 {
2ea97746 917 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *));
420a0d19
CE		 918 addr->pipe_expandn[i] = NULL;
919 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
920 }
921
922 /* Then an int containing reply options; zero => no reply data. */
923
924 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
925 if ((reply_options & REPLY_EXISTS) != 0)
926 {
927 addr->reply = store_get(sizeof(reply_item));
928
929 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
930 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
931
932 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
933 sizeof(int) ||
934 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
935 sizeof(time_t) ||
936 !rda_read_string(fd, &(addr->reply->to)) ||
937 !rda_read_string(fd, &(addr->reply->cc)) ||
938 !rda_read_string(fd, &(addr->reply->bcc)) ||
939 !rda_read_string(fd, &(addr->reply->from)) ||
940 !rda_read_string(fd, &(addr->reply->reply_to)) ||
941 !rda_read_string(fd, &(addr->reply->subject)) ||
942 !rda_read_string(fd, &(addr->reply->headers)) ||
943 !rda_read_string(fd, &(addr->reply->text)) ||
944 !rda_read_string(fd, &(addr->reply->file)) ||
945 !rda_read_string(fd, &(addr->reply->logfile)) ||
946 !rda_read_string(fd, &(addr->reply->oncelog)))
947 goto DISASTER;
948 }
949 }
950 }
951
952/* All data has been transferred from the sub-process. Reap it, close the
953reading end of the pipe, and we are done. */
954
955WAIT_EXIT:
956while ((rc = wait(&status)) != pid)
957 {
958 if (rc < 0 && errno == ECHILD) /* Process has vanished */
959 {
960 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
961 goto FINAL_EXIT;
962 }
963 }
964
965DEBUG(D_route)
966 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
967
968if (had_disaster)
969 {
970 *error = string_sprintf("internal problem in %s: failure to transfer "
971 "data from subprocess: status=%04x%s%s%s", rname,
972 status, readerror,
973 (*error == NULL)? US"" : US": error=",
974 (*error == NULL)? US"" : *error);
975 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
976 }
977else if (status != 0)
978 {
979 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
980 "%04x from redirect subprocess (but data correctly received)", rname,
981 status);
982 }
983
984FINAL_EXIT:
985(void)close(fd);
986signal(SIGCHLD, oldsignal); /* restore */
987return yield;
988
989
990/* Come here if the data indicates removal of a header that we can't find */
991
992DISASTER_NO_HEADER:
993readerror = US" readerror=bad header identifier";
994had_disaster = TRUE;
995yield = FF_ERROR;
996goto WAIT_EXIT;
997
998/* Come here is there's a shambles in transferring the data over the pipe. The
999value of errno should still be set. */
1000
1001DISASTER:
1002readerror = string_sprintf(" readerror='%s'", strerror(errno));
1003had_disaster = TRUE;
1004yield = FF_ERROR;
1005goto WAIT_EXIT;
1006}
1007
1008/* End of rda.c */
exim4 packaging