Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From ac8f49ef90e768a63ed3dca50e2b2c6e8d333bfd Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 21:26:53 -0800 | |
4 | Subject: [PATCH 11/29] CVE-2020-28015+28021: New-line injection into spool | |
5 | header file | |
6 | ||
7 | --- | |
8 | src/spool_out.c | 21 +++++++++++++++++---- | |
9 | 1 file changed, 17 insertions(+), 4 deletions(-) | |
10 | ||
11 | diff --git a/src/spool_out.c b/src/spool_out.c | |
12 | index d55895202..9394393d5 100644 | |
13 | --- a/src/spool_out.c | |
14 | +++ b/src/spool_out.c | |
15 | @@ -108,6 +108,18 @@ return fd; | |
16 | * Write the header spool file * | |
17 | *************************************************/ | |
18 | ||
19 | +static const uschar * | |
20 | +zap_newlines(const uschar *s) | |
21 | +{ | |
22 | +uschar *z, *p; | |
23 | + | |
24 | +if (Ustrchr(s, '\n') == NULL) return s; | |
25 | + | |
26 | +p = z = string_copy(s); | |
27 | +while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' '; | |
28 | +return z; | |
29 | +} | |
30 | + | |
31 | /* Returns the size of the file for success; zero for failure. The file is | |
32 | written under a temporary name, and then renamed. It's done this way so that it | |
33 | works with re-writing the file on message deferral as well as for the initial | |
34 | @@ -210,7 +222,7 @@ if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount); | |
35 | if (authenticated_id) | |
36 | fprintf(fp, "-auth_id %s\n", authenticated_id); | |
37 | if (authenticated_sender) | |
38 | - fprintf(fp, "-auth_sender %s\n", authenticated_sender); | |
39 | + fprintf(fp, "-auth_sender %s\n", zap_newlines(authenticated_sender)); | |
40 | ||
41 | if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n"); | |
42 | if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n"); | |
43 | @@ -283,19 +295,20 @@ fprintf(fp, "%d\n", recipients_count); | |
44 | for (i = 0; i < recipients_count; i++) | |
45 | { | |
46 | recipient_item *r = recipients_list + i; | |
47 | + const uschar *address = zap_newlines(r->address); | |
48 | ||
49 | DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags); | |
50 | ||
51 | if (r->pno < 0 && r->errors_to == NULL && r->dsn_flags == 0) | |
52 | - fprintf(fp, "%s\n", r->address); | |
53 | + fprintf(fp, "%s\n", address); | |
54 | else | |
55 | { | |
56 | - uschar * errors_to = r->errors_to ? r->errors_to : US""; | |
57 | + const uschar * errors_to = r->errors_to ? zap_newlines(r->errors_to) : US""; | |
58 | /* for DSN SUPPORT extend exim 4 spool in a compatible way by | |
59 | adding new values upfront and add flag 0x02 */ | |
60 | uschar * orcpt = r->orcpt ? r->orcpt : US""; | |
61 | ||
62 | - fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt), | |
63 | + fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt), | |
64 | r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno); | |
65 | } | |
66 | ||
67 | -- | |
68 | 2.30.2 | |
69 |