[hcoop/debian/exim4.git] / debian / patches / 84_Avoid-re-expansion-in-sort-CVE-2019-13917-OVE-201907.patch

From cf84d126bc1f04746eb7c8e8b3468f7e70add3ec Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 5 Jul 2019 15:38:15 +0100
Subject: [PATCH] Avoid re-expansion in ${sort } CVE-2019-13917
 OVE-20190718-0006

(cherry picked from commit 5c887f836e4d8e3f79da1c15565b56b40d9bd0dd)
---
 doc/ChangeLog      |   6 ++
 doc/doc-txt/cve-2019-13917 |  46 ++++++++
 src/expand.c           | 214 +++++++++++++++++++++++++------------
 3 files changed, 199 insertions(+), 67 deletions(-)
 create mode 100644 doc/doc-txt/cve-2019-13917

--- a/src/expand.c
+++ b/src/expand.c
@@ -2115,6 +2115,55 @@ return ret;
 
 
 
+/************************************************/
+/*  Return offset in ops table, or -1 if not found.
+Repoint to just after the operator in the string.
+
+Argument:
+ ss	string representation of operator
+ opname	split-out operator name
+*/
+
+static int
+identify_operator(const uschar ** ss, uschar ** opname)
+{
+const uschar * s = *ss;
+uschar name[256];
+
+/* Numeric comparisons are symbolic */
+
+if (*s == '=' || *s == '>' || *s == '<')
+  {
+  int p = 0;
+  name[p++] = *s++;
+  if (*s == '=')
+    {
+    name[p++] = '=';
+    s++;
+    }
+  name[p] = 0;
+  }
+
+/* All other conditions are named */
+
+else
+  s = read_name(name, sizeof(name), s, US"_");
+*ss = s;
+
+/* If we haven't read a name, it means some non-alpha character is first. */
+
+if (!name[0])
+  {
+  expand_string_message = string_sprintf("condition name expected, "
+    "but found \"%.16s\"", s);
+  return -1;
+  }
+if (opname)
+  *opname = string_copy(name);
+
+return chop_match(name, cond_table, nelem(cond_table));
+}
+
 
 /*************************************************
 *        Read and evaluate a condition           *
@@ -2145,6 +2194,7 @@ BOOL sub2_honour_dollar = TRUE;
 int i, rc, cond_type, roffset;
 int_eximarith_t num[2];
 struct stat statbuf;
+uschar * opname;
 uschar name[256];
 const uschar *sub[10];
 
@@ -2157,37 +2207,7 @@ for (;;)
   if (*s == '!') { testfor = !testfor; s++; } else break;
   }
 
-/* Numeric comparisons are symbolic */
-
-if (*s == '=' || *s == '>' || *s == '<')
-  {
-  int p = 0;
-  name[p++] = *s++;
-  if (*s == '=')
-    {
-    name[p++] = '=';
-    s++;
-    }
-  name[p] = 0;
-  }
-
-/* All other conditions are named */
-
-else s = read_name(name, 256, s, US"_");
-
-/* If we haven't read a name, it means some non-alpha character is first. */
-
-if (name[0] == 0)
-  {
-  expand_string_message = string_sprintf("condition name expected, "
-    "but found \"%.16s\"", s);
-  return NULL;
-  }
-
-/* Find which condition we are dealing with, and switch on it */
-
-cond_type = chop_match(name, cond_table, nelem(cond_table));
-switch(cond_type)
+switch(cond_type = identify_operator(&s, &opname))
   {
   /* def: tests for a non-empty variable, or for the existence of a header. If
   yield == NULL we are in a skipping state, and don't care about the answer. */
@@ -2506,7 +2526,7 @@ switch(cond_type)
       {
       if (i == 0) goto COND_FAILED_CURLY_START;
       expand_string_message = string_sprintf("missing 2nd string in {} "
-        "after \"%s\"", name);
+        "after \"%s\"", opname);
       return NULL;
       }
     sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
@@ -2518,7 +2538,7 @@ switch(cond_type)
     conditions that compare numbers do not start with a letter. This just saves
     checking for them individually. */
 
-    if (!isalpha(name[0]) && yield != NULL)
+    if (!isalpha(opname[0]) && yield != NULL)
       if (sub[i][0] == 0)
         {
         num[i] = 0;
@@ -2832,7 +2852,7 @@ switch(cond_type)
       uschar *save_iterate_item = iterate_item;
       int (*compare)(const uschar *, const uschar *);
 
-      DEBUG(D_expand) debug_printf_indent("condition: %s\n", name);
+      DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
 
       tempcond = FALSE;
       compare = cond_type == ECOND_INLISTI
@@ -2871,14 +2891,14 @@ switch(cond_type)
     if (*s != '{')					/* }-for-text-editors */
       {
       expand_string_message = string_sprintf("each subcondition "
-        "inside an \"%s{...}\" condition must be in its own {}", name);
+        "inside an \"%s{...}\" condition must be in its own {}", opname);
       return NULL;
       }
 
     if (!(s = eval_condition(s+1, resetok, subcondptr)))
       {
       expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
-        expand_string_message, name);
+        expand_string_message, opname);
       return NULL;
       }
     while (isspace(*s)) s++;
@@ -2888,7 +2908,7 @@ switch(cond_type)
       {
       /* {-for-text-editors */
       expand_string_message = string_sprintf("missing } at end of condition "
-        "inside \"%s\" group", name);
+        "inside \"%s\" group", opname);
       return NULL;
       }
 
@@ -2920,7 +2940,7 @@ switch(cond_type)
     int sep = 0;
     uschar *save_iterate_item = iterate_item;
 
-    DEBUG(D_expand) debug_printf_indent("condition: %s\n", name);
+    DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
 
     while (isspace(*s)) s++;
     if (*s++ != '{') goto COND_FAILED_CURLY_START;	/* }-for-text-editors */
@@ -2941,7 +2961,7 @@ switch(cond_type)
     if (!(s = eval_condition(sub[1], resetok, NULL)))
       {
       expand_string_message = string_sprintf("%s inside \"%s\" condition",
-        expand_string_message, name);
+        expand_string_message, opname);
       return NULL;
       }
     while (isspace(*s)) s++;
@@ -2951,7 +2971,7 @@ switch(cond_type)
       {
       /* {-for-text-editors */
       expand_string_message = string_sprintf("missing } at end of condition "
-        "inside \"%s\"", name);
+        "inside \"%s\"", opname);
       return NULL;
       }
 
@@ -2963,11 +2983,11 @@ switch(cond_type)
       if (!eval_condition(sub[1], resetok, &tempcond))
         {
         expand_string_message = string_sprintf("%s inside \"%s\" condition",
-          expand_string_message, name);
+          expand_string_message, opname);
         iterate_item = save_iterate_item;
         return NULL;
         }
-      DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", name,
+      DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", opname,
         tempcond? "true":"false");
 
       if (yield != NULL) *yield = (tempcond == testfor);
@@ -3060,19 +3080,20 @@ switch(cond_type)
   /* Unknown condition */
 
   default:
-  expand_string_message = string_sprintf("unknown condition \"%s\"", name);
-  return NULL;
+    if (!expand_string_message || !*expand_string_message)
+      expand_string_message = string_sprintf("unknown condition \"%s\"", opname);
+    return NULL;
   }   /* End switch on condition type */
 
 /* Missing braces at start and end of data */
 
 COND_FAILED_CURLY_START:
-expand_string_message = string_sprintf("missing { after \"%s\"", name);
+expand_string_message = string_sprintf("missing { after \"%s\"", opname);
 return NULL;
 
 COND_FAILED_CURLY_END:
 expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
-  name);
+  opname);
 return NULL;
 
 /* A condition requires code that is not compiled */
@@ -3082,7 +3103,7 @@ return NULL;
     !defined(SUPPORT_CRYPTEQ) || !defined(CYRUS_SASLAUTHD_SOCKET)
 COND_FAILED_NOT_COMPILED:
 expand_string_message = string_sprintf("support for \"%s\" not compiled",
-  name);
+  opname);
 return NULL;
 #endif
 }
@@ -3793,6 +3814,58 @@ return x;
 }
 
 
+/************************************************/
+/* Comparison operation for sort expansion.  We need to avoid
+re-expanding the fields being compared, so need a custom routine.
+
+Arguments:
+ cond_type		Comparison operator code
+ leftarg, rightarg	Arguments for comparison
+
+Return true iff (leftarg compare rightarg)
+*/
+
+static BOOL
+sortsbefore(int cond_type, BOOL alpha_cond,
+  const uschar * leftarg, const uschar * rightarg)
+{
+int_eximarith_t l_num, r_num;
+
+if (!alpha_cond)
+  {
+  l_num = expanded_string_integer(leftarg, FALSE);
+  if (expand_string_message) return FALSE;
+  r_num = expanded_string_integer(rightarg, FALSE);
+  if (expand_string_message) return FALSE;
+
+  switch (cond_type)
+    {
+    case ECOND_NUM_G:	return l_num >  r_num;
+    case ECOND_NUM_GE:	return l_num >= r_num;
+    case ECOND_NUM_L:	return l_num <  r_num;
+    case ECOND_NUM_LE:	return l_num <= r_num;
+    default: break;
+    }
+  }
+else
+  switch (cond_type)
+    {
+    case ECOND_STR_LT:	return Ustrcmp (leftarg, rightarg) <  0;
+    case ECOND_STR_LTI:	return strcmpic(leftarg, rightarg) <  0;
+    case ECOND_STR_LE:	return Ustrcmp (leftarg, rightarg) <= 0;
+    case ECOND_STR_LEI:	return strcmpic(leftarg, rightarg) <= 0;
+    case ECOND_STR_GT:	return Ustrcmp (leftarg, rightarg) >  0;
+    case ECOND_STR_GTI:	return strcmpic(leftarg, rightarg) >  0;
+    case ECOND_STR_GE:	return Ustrcmp (leftarg, rightarg) >= 0;
+    case ECOND_STR_GEI:	return strcmpic(leftarg, rightarg) >= 0;
+    default: break;
+    }
+return FALSE;	/* should not happen */
+}
+
+
+
+
 
 /*************************************************
 *                 Expand string                  *
@@ -5904,9 +5977,10 @@ while (*s != 0)
 
     case EITEM_SORT:
       {
+      int cond_type;
       int sep = 0;
       const uschar *srclist, *cmp, *xtract;
-      uschar *srcitem;
+      uschar * opname, * srcitem;
       const uschar *dstlist = NULL, *dstkeylist = NULL;
       uschar * tmp;
       uschar *save_iterate_item = iterate_item;
@@ -5941,6 +6015,25 @@ while (*s != 0)
 	goto EXPAND_FAILED_CURLY;
 	}
 
+      if ((cond_type = identify_operator(&cmp, &opname)) == -1)
+	{
+	if (!expand_string_message)
+	  expand_string_message = string_sprintf("unknown condition \"%s\"", s);
+	goto EXPAND_FAILED;
+	}
+      switch(cond_type)
+	{
+	case ECOND_NUM_L: case ECOND_NUM_LE:
+	case ECOND_NUM_G: case ECOND_NUM_GE:
+	case ECOND_STR_GE: case ECOND_STR_GEI: case ECOND_STR_GT: case ECOND_STR_GTI:
+	case ECOND_STR_LE: case ECOND_STR_LEI: case ECOND_STR_LT: case ECOND_STR_LTI:
+	  break;
+
+	default:
+	  expand_string_message = US"comparator not handled for sort";
+	  goto EXPAND_FAILED;
+	}
+
       while (isspace(*s)) s++;
       if (*s++ != '{')
         {
@@ -5969,10 +6062,9 @@ while (*s != 0)
 
       while ((srcitem = string_nextinlist(&srclist, &sep, NULL, 0)))
         {
-	uschar * dstitem;
+	uschar * srcfield, * dstitem;
 	uschar * newlist = NULL;
 	uschar * newkeylist = NULL;
-	uschar * srcfield;
 
         DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", name, srcitem);
 
@@ -5993,25 +6085,15 @@ while (*s != 0)
 	while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
 	  {
 	  uschar * dstfield;
-	  uschar * expr;
-	  BOOL before;
 
 	  /* field for comparison */
 	  if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
 	    goto sort_mismatch;
 
-	  /* build and run condition string */
-	  expr = string_sprintf("%s{%s}{%s}", cmp, srcfield, dstfield);
-
-	  DEBUG(D_expand) debug_printf_indent("%s: cond = \"%s\"\n", name, expr);
-	  if (!eval_condition(expr, &resetok, &before))
-	    {
-	    expand_string_message = string_sprintf("comparison in sort: %s",
-		expr);
-	    goto EXPAND_FAILED;
-	    }
+	  /* String-comparator names start with a letter; numeric names do not */
 
-	  if (before)
+	  if (sortsbefore(cond_type, isalpha(opname[0]),
+	      srcfield, dstfield))
 	    {
 	    /* New-item sorts before this dst-item.  Append new-item,
 	    then dst-item, then remainder of dst list. */
Commit	Line	Data
b032efff AM	1	From cf84d126bc1f04746eb7c8e8b3468f7e70add3ec Mon Sep 17 00:00:00 2001
	2	From: Jeremy Harris <jgh146exb@wizmail.org>
	3	Date: Fri, 5 Jul 2019 15:38:15 +0100
	4	Subject: [PATCH] Avoid re-expansion in ${sort } CVE-2019-13917
	5	OVE-20190718-0006
	6
	7	(cherry picked from commit 5c887f836e4d8e3f79da1c15565b56b40d9bd0dd)
	8	---
	9	doc/ChangeLog \| 6 ++
	10	doc/doc-txt/cve-2019-13917 \| 46 ++++++++
	11	src/expand.c \| 214 +++++++++++++++++++++++++------------
	12	3 files changed, 199 insertions(+), 67 deletions(-)
	13	create mode 100644 doc/doc-txt/cve-2019-13917
	14
	15	--- a/src/expand.c
	16	+++ b/src/expand.c
	17	@@ -2115,6 +2115,55 @@ return ret;
	18
	19
	20
	21	+/************************************************/
	22	+/* Return offset in ops table, or -1 if not found.
	23	+Repoint to just after the operator in the string.
	24	+
	25	+Argument:
	26	+ ss string representation of operator
	27	+ opname split-out operator name
	28	+*/
	29	+
	30	+static int
	31	+identify_operator(const uschar ss, uschar opname)
	32	+{
	33	+const uschar * s = *ss;
	34	+uschar name[256];
	35	+
	36	+/* Numeric comparisons are symbolic */
	37	+
	38	+if (s == '=' \|\| s == '>' \|\| *s == '<')
	39	+ {
	40	+ int p = 0;
	41	+ name[p++] = *s++;
	42	+ if (*s == '=')
	43	+ {
	44	+ name[p++] = '=';
	45	+ s++;
	46	+ }
	47	+ name[p] = 0;
	48	+ }
	49	+
	50	+/* All other conditions are named */
	51	+
	52	+else
	53	+ s = read_name(name, sizeof(name), s, US"_");
	54	+*ss = s;
	55	+
	56	+/* If we haven't read a name, it means some non-alpha character is first. */
	57	+
	58	+if (!name[0])
	59	+ {
	60	+ expand_string_message = string_sprintf("condition name expected, "
	61	+ "but found \"%.16s\"", s);
	62	+ return -1;
	63	+ }
	64	+if (opname)
65	+ *opname = string_copy(name);
66	+
67	+return chop_match(name, cond_table, nelem(cond_table));
68	+}
69	+
70
71	/*************************************************
72	* Read and evaluate a condition *
73	@@ -2145,6 +2194,7 @@ BOOL sub2_honour_dollar = TRUE;
74	int i, rc, cond_type, roffset;
75	int_eximarith_t num[2];
76	struct stat statbuf;
77	+uschar * opname;
78	uschar name[256];
79	const uschar *sub[10];
80
81	@@ -2157,37 +2207,7 @@ for (;;)
82	if (*s == '!') { testfor = !testfor; s++; } else break;
83	}
84
85	-/* Numeric comparisons are symbolic */
86	-
87	-if (s == '=' \|\| s == '>' \|\| *s == '<')
88	- {
89	- int p = 0;
90	- name[p++] = *s++;
91	- if (*s == '=')
92	- {
93	- name[p++] = '=';
94	- s++;
95	- }
96	- name[p] = 0;
97	- }
98	-
99	-/* All other conditions are named */
100	-
101	-else s = read_name(name, 256, s, US"_");
102	-
103	-/* If we haven't read a name, it means some non-alpha character is first. */
104	-
105	-if (name[0] == 0)
106	- {
107	- expand_string_message = string_sprintf("condition name expected, "
108	- "but found \"%.16s\"", s);
109	- return NULL;
110	- }
111	-
112	-/* Find which condition we are dealing with, and switch on it */
113	-
114	-cond_type = chop_match(name, cond_table, nelem(cond_table));
115	-switch(cond_type)
116	+switch(cond_type = identify_operator(&s, &opname))
117	{
118	/* def: tests for a non-empty variable, or for the existence of a header. If
119	yield == NULL we are in a skipping state, and don't care about the answer. */
120	@@ -2506,7 +2526,7 @@ switch(cond_type)
121	{
122	if (i == 0) goto COND_FAILED_CURLY_START;
123	expand_string_message = string_sprintf("missing 2nd string in {} "
124	- "after \"%s\"", name);
125	+ "after \"%s\"", opname);
126	return NULL;
127	}
128	sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
129	@@ -2518,7 +2538,7 @@ switch(cond_type)
130	conditions that compare numbers do not start with a letter. This just saves
131	checking for them individually. */
132
133	- if (!isalpha(name[0]) && yield != NULL)
134	+ if (!isalpha(opname[0]) && yield != NULL)
135	if (sub[i][0] == 0)
136	{
137	num[i] = 0;
138	@@ -2832,7 +2852,7 @@ switch(cond_type)
139	uschar *save_iterate_item = iterate_item;
140	int (compare)(const uschar , const uschar *);
141
142	- DEBUG(D_expand) debug_printf_indent("condition: %s\n", name);
143	+ DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
144
145	tempcond = FALSE;
146	compare = cond_type == ECOND_INLISTI
147	@@ -2871,14 +2891,14 @@ switch(cond_type)
148	if (s != '{') / }-for-text-editors */
149	{
150	expand_string_message = string_sprintf("each subcondition "
151	- "inside an \"%s{...}\" condition must be in its own {}", name);
152	+ "inside an \"%s{...}\" condition must be in its own {}", opname);
153	return NULL;
154	}
155
156	if (!(s = eval_condition(s+1, resetok, subcondptr)))
157	{
158	expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
159	- expand_string_message, name);
160	+ expand_string_message, opname);
161	return NULL;
162	}
163	while (isspace(*s)) s++;
164	@@ -2888,7 +2908,7 @@ switch(cond_type)
165	{
166	/* {-for-text-editors */
167	expand_string_message = string_sprintf("missing } at end of condition "
168	- "inside \"%s\" group", name);
169	+ "inside \"%s\" group", opname);
170	return NULL;
171	}
172
173	@@ -2920,7 +2940,7 @@ switch(cond_type)
174	int sep = 0;
175	uschar *save_iterate_item = iterate_item;
176
177	- DEBUG(D_expand) debug_printf_indent("condition: %s\n", name);
178	+ DEBUG(D_expand) debug_printf_indent("condition: %s\n", opname);
179
180	while (isspace(*s)) s++;
181	if (s++ != '{') goto COND_FAILED_CURLY_START; / }-for-text-editors */
182	@@ -2941,7 +2961,7 @@ switch(cond_type)
183	if (!(s = eval_condition(sub[1], resetok, NULL)))
184	{
185	expand_string_message = string_sprintf("%s inside \"%s\" condition",
186	- expand_string_message, name);
187	+ expand_string_message, opname);
188	return NULL;
189	}
190	while (isspace(*s)) s++;
191	@@ -2951,7 +2971,7 @@ switch(cond_type)
192	{
193	/* {-for-text-editors */
194	expand_string_message = string_sprintf("missing } at end of condition "
195	- "inside \"%s\"", name);
196	+ "inside \"%s\"", opname);
197	return NULL;
198	}
199
200	@@ -2963,11 +2983,11 @@ switch(cond_type)
201	if (!eval_condition(sub[1], resetok, &tempcond))
202	{
203	expand_string_message = string_sprintf("%s inside \"%s\" condition",
204	- expand_string_message, name);
205	+ expand_string_message, opname);
206	iterate_item = save_iterate_item;
207	return NULL;
208	}
209	- DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", name,
210	+ DEBUG(D_expand) debug_printf_indent("%s: condition evaluated to %s\n", opname,
211	tempcond? "true":"false");
212
213	if (yield != NULL) *yield = (tempcond == testfor);
214	@@ -3060,19 +3080,20 @@ switch(cond_type)
215	/* Unknown condition */
216
217	default:
218	- expand_string_message = string_sprintf("unknown condition \"%s\"", name);
219	- return NULL;
220	+ if (!expand_string_message \|\| !*expand_string_message)
221	+ expand_string_message = string_sprintf("unknown condition \"%s\"", opname);
222	+ return NULL;
223	} /* End switch on condition type */
224
225	/* Missing braces at start and end of data */
226
227	COND_FAILED_CURLY_START:
228	-expand_string_message = string_sprintf("missing { after \"%s\"", name);
229	+expand_string_message = string_sprintf("missing { after \"%s\"", opname);
230	return NULL;
231
232	COND_FAILED_CURLY_END:
233	expand_string_message = string_sprintf("missing } at end of \"%s\" condition",
234	- name);
235	+ opname);
236	return NULL;
237
238	/* A condition requires code that is not compiled */
239	@@ -3082,7 +3103,7 @@ return NULL;
240	!defined(SUPPORT_CRYPTEQ) \|\| !defined(CYRUS_SASLAUTHD_SOCKET)
241	COND_FAILED_NOT_COMPILED:
242	expand_string_message = string_sprintf("support for \"%s\" not compiled",
243	- name);
244	+ opname);
245	return NULL;
246	#endif
247	}
248	@@ -3793,6 +3814,58 @@ return x;
249	}
250
251
252	+/************************************************/
253	+/* Comparison operation for sort expansion. We need to avoid
254	+re-expanding the fields being compared, so need a custom routine.
255	+
256	+Arguments:
257	+ cond_type Comparison operator code
258	+ leftarg, rightarg Arguments for comparison
259	+
260	+Return true iff (leftarg compare rightarg)
261	+*/
262	+
263	+static BOOL
264	+sortsbefore(int cond_type, BOOL alpha_cond,
265	+ const uschar * leftarg, const uschar * rightarg)
266	+{
267	+int_eximarith_t l_num, r_num;
268	+
269	+if (!alpha_cond)
270	+ {
271	+ l_num = expanded_string_integer(leftarg, FALSE);
272	+ if (expand_string_message) return FALSE;
273	+ r_num = expanded_string_integer(rightarg, FALSE);
274	+ if (expand_string_message) return FALSE;
275	+
276	+ switch (cond_type)
277	+ {
278	+ case ECOND_NUM_G: return l_num > r_num;
279	+ case ECOND_NUM_GE: return l_num >= r_num;
280	+ case ECOND_NUM_L: return l_num < r_num;
281	+ case ECOND_NUM_LE: return l_num <= r_num;
282	+ default: break;
283	+ }
284	+ }
285	+else
286	+ switch (cond_type)
287	+ {
288	+ case ECOND_STR_LT: return Ustrcmp (leftarg, rightarg) < 0;
289	+ case ECOND_STR_LTI: return strcmpic(leftarg, rightarg) < 0;
290	+ case ECOND_STR_LE: return Ustrcmp (leftarg, rightarg) <= 0;
291	+ case ECOND_STR_LEI: return strcmpic(leftarg, rightarg) <= 0;
292	+ case ECOND_STR_GT: return Ustrcmp (leftarg, rightarg) > 0;
293	+ case ECOND_STR_GTI: return strcmpic(leftarg, rightarg) > 0;
294	+ case ECOND_STR_GE: return Ustrcmp (leftarg, rightarg) >= 0;
295	+ case ECOND_STR_GEI: return strcmpic(leftarg, rightarg) >= 0;
296	+ default: break;
297	+ }
298	+return FALSE; /* should not happen */
299	+}
300	+
301	+
302	+
303	+
304
305	/*************************************************
306	* Expand string *
307	@@ -5904,9 +5977,10 @@ while (*s != 0)
308
309	case EITEM_SORT:
310	{
311	+ int cond_type;
312	int sep = 0;
313	const uschar srclist, cmp, *xtract;
314	- uschar *srcitem;
315	+ uschar * opname, * srcitem;
316	const uschar dstlist = NULL, dstkeylist = NULL;
317	uschar * tmp;
318	uschar *save_iterate_item = iterate_item;
319	@@ -5941,6 +6015,25 @@ while (*s != 0)
320	goto EXPAND_FAILED_CURLY;
321	}
322
323	+ if ((cond_type = identify_operator(&cmp, &opname)) == -1)
324	+ {
325	+ if (!expand_string_message)
326	+ expand_string_message = string_sprintf("unknown condition \"%s\"", s);
327	+ goto EXPAND_FAILED;
328	+ }
329	+ switch(cond_type)
330	+ {
331	+ case ECOND_NUM_L: case ECOND_NUM_LE:
332	+ case ECOND_NUM_G: case ECOND_NUM_GE:
333	+ case ECOND_STR_GE: case ECOND_STR_GEI: case ECOND_STR_GT: case ECOND_STR_GTI:
334	+ case ECOND_STR_LE: case ECOND_STR_LEI: case ECOND_STR_LT: case ECOND_STR_LTI:
335	+ break;
336	+
337	+ default:
338	+ expand_string_message = US"comparator not handled for sort";
339	+ goto EXPAND_FAILED;
340	+ }
341	+
342	while (isspace(*s)) s++;
343	if (*s++ != '{')
344	{
345	@@ -5969,10 +6062,9 @@ while (*s != 0)
346
347	while ((srcitem = string_nextinlist(&srclist, &sep, NULL, 0)))
348	{
349	- uschar * dstitem;
350	+ uschar * srcfield, * dstitem;
351	uschar * newlist = NULL;
352	uschar * newkeylist = NULL;
353	- uschar * srcfield;
354
355	DEBUG(D_expand) debug_printf_indent("%s: $item = \"%s\"\n", name, srcitem);
356
357	@@ -5993,25 +6085,15 @@ while (*s != 0)
358	while ((dstitem = string_nextinlist(&dstlist, &sep, NULL, 0)))
359	{
360	uschar * dstfield;
361	- uschar * expr;
362	- BOOL before;
363
364	/* field for comparison */
365	if (!(dstfield = string_nextinlist(&dstkeylist, &sep, NULL, 0)))
366	goto sort_mismatch;
367
368	- /* build and run condition string */
369	- expr = string_sprintf("%s{%s}{%s}", cmp, srcfield, dstfield);
370	-
371	- DEBUG(D_expand) debug_printf_indent("%s: cond = \"%s\"\n", name, expr);
372	- if (!eval_condition(expr, &resetok, &before))
373	- {
374	- expand_string_message = string_sprintf("comparison in sort: %s",
375	- expr);
376	- goto EXPAND_FAILED;
377	- }
378	+ /* String-comparator names start with a letter; numeric names do not */
379
380	- if (before)
381	+ if (sortsbefore(cond_type, isalpha(opname[0]),
382	+ srcfield, dstfield))
383	{
384	/* New-item sorts before this dst-item. Append new-item,
385	then dst-item, then remainder of dst list. */