Taint: fix verify. Bug 2598

(cherry-picked from 2b60ac1021 and 9eed571fd7)

7 files changed, 175 insertions, 3 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 92298e7fc..859e87b00 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -36,6 +36,10 @@ JH/07 Bug 2597: Fix a resource leak.  Using a lookup in obtaining a value for
       when the limit was exceeded.  This eventually crashed the daemon.  Fix
       by adding a relase action in that path.
 
+JH/08 Bug 2598: Fix verify ACL condition.  The options for the condition are
+      expanded; previously using tainted values was rejected.  Fix by using
+      dynamically-created buffers.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 8619cd5ef..11d1fd028 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -1767,7 +1767,7 @@ switch(vp->value)
 /* Remaining items are optional; they apply to sender and recipient
 verification, including "header sender" verification. */
 
-while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
+while ((ss = string_nextinlist(&list, &sep, NULL, 0)))
   {
   if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
   else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
@@ -1804,7 +1804,7 @@ while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
 	uschar * opt;
 
         while (isspace(*sublist)) sublist++;
-        while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer))))
+        while ((opt = string_nextinlist(&sublist, &optsep, NULL, 0)))
           {
 	  callout_opt_t * op;
 	  double period = 1.0F;
diff --git a/test/confs/0591 b/test/confs/0591
new file mode 100644
index 000000000..8eaeb0894
--- /dev/null
+++ b/test/confs/0591
@@ -0,0 +1,33 @@
+# Exim test configuration 0591
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex
+
+acl_smtp_rcpt = check_recipient
+queue_only
+
+
+# ----- ACL -----
+
+begin acl
+
+check_recipient:
+  require verify = sender=OPT
+  accept
+
+# ----- Routers -----
+
+begin routers
+
+goodroute:
+  driver = accept
+  local_parts = userx
+  verify_only
+
+
+# End
diff --git a/test/scripts/0000-Basic/0087 b/test/scripts/0000-Basic/0087
index c77b69cc4..8e65e8006 100644
--- a/test/scripts/0000-Basic/0087
+++ b/test/scripts/0000-Basic/0087
@@ -1,4 +1,4 @@
-# verify = header_sender
+# verify = header_sender & sender
 exim -bh V4NET.10.10.10
 mail from:<userx@test.ex>
 rcpt to:<userx@test.ex>
diff --git a/test/scripts/0000-Basic/0591 b/test/scripts/0000-Basic/0591
new file mode 100644
index 000000000..c7f543d36
--- /dev/null
+++ b/test/scripts/0000-Basic/0591
@@ -0,0 +1,29 @@
+# verify = sender=address
+#
+# pass
+exim -DOPT=userx@test.ex -bh 127.0.0.1
+mail from:<userx@test.ex>
+rcpt to:<userx@test.ex>
+data
+From: userx@test.ex
+Subject: testing
+.
+QUIT
+****
+# fail
+exim -DOPT=fail@test.ex -bh 127.0.0.1
+mail from:<userx@test.ex>
+rcpt to:<userx@test.ex>
+QUIT
+****
+# check can use tainted data
+exim -DOPT='$sender_address/defer_ok' -bh 127.0.0.1
+mail from:<userx@test.ex>
+rcpt to:<userx@test.ex>
+data
+From: userx@test.ex
+Subject: testing
+.
+QUIT
+****
+no_msglog_check
diff --git a/test/stderr/0591 b/test/stderr/0591
new file mode 100644
index 000000000..d3e854e68
--- /dev/null
+++ b/test/stderr/0591
@@ -0,0 +1,67 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=userx@test.ex
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing userx@test.ex
+>>> userx in "userx"? yes (matched "userx")
+>>> calling goodroute router
+>>> routed by goodroute router
+>>> ----------- end verify ------------
+>>> require: condition test succeeded in ACL "check_recipient"
+>>> processing "accept" (TESTSUITE/test-config 21)
+>>> accept: condition test succeeded in ACL "check_recipient"
+>>> end of ACL "check_recipient": ACCEPT
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaX-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtp S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=fail@test.ex
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing fail@test.ex
+>>> fail in "userx"? no (end of list)
+>>> no more routers
+>>> ----------- end verify ------------
+>>> require: condition test failed in ACL "check_recipient"
+>>> end of ACL "check_recipient": not OK
+LOG: H=[127.0.0.1] sender verify fail for <fail@test.ex>: Unrouteable address
+LOG: H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: Sender verify failed
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_recipient"
+>>> processing "require" (TESTSUITE/test-config 20)
+>>> check verify = sender=$sender_address/defer_ok
+>>>              = sender=userx@test.ex/defer_ok
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing userx@test.ex
+>>> userx in "userx"? yes (matched "userx")
+>>> calling goodroute router
+>>> routed by goodroute router
+>>> ----------- end verify ------------
+>>> require: condition test succeeded in ACL "check_recipient"
+>>> processing "accept" (TESTSUITE/test-config 21)
+>>> accept: condition test succeeded in ACL "check_recipient"
+>>> end of ACL "check_recipient": ACCEPT
+>>> host in ignore_fromline_hosts? no (option unset)
+LOG: 10HmaY-0005vi-00 <= userx@test.ex H=[127.0.0.1] P=smtp S=sss
diff --git a/test/stdout/0591 b/test/stdout/0591
new file mode 100644
index 000000000..620e8f89f
--- /dev/null
+++ b/test/stdout/0591
@@ -0,0 +1,39 @@
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000

+250 OK

+250 Accepted

+354 Enter message, ending with "." on a line by itself

+250 OK id=10HmaX-0005vi-00

+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection

+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000

+250 OK

+550-Verification failed for <fail@test.ex>

+550-Unrouteable address

+550 Sender verify failed

+221 myhost.test.ex closing connection

+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000

+250 OK

+250 Accepted

+354 Enter message, ending with "." on a line by itself

+250 OK id=10HmaY-0005vi-00

+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection