diff options
| author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2020-11-21 22:41:28 +0100 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:30 +0200 |
| commit | 1e9a340c05d7233969637095a8a6378b14de2976 (patch) | |
| tree | 6a042c3ca69b136497587d8ebdb4b01f76d599f2 | |
| parent | 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4 (diff) | |
| download | exim4-1e9a340c05d7233969637095a8a6378b14de2976.tar.gz | |
SECURITY: Fix safeguard against upward traversal in msglog files.
Credits: Qualys
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
| -rw-r--r-- | doc/doc-txt/ChangeLog | 2 | ||||
| -rw-r--r-- | src/src/deliver.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 87f1952f5..98c1b05e2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -205,6 +205,8 @@ PP/11 Fix security issue in BDAT state confusion. mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. +HS/03 Die on "/../" in msglog file names + Exim version 4.94 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index d85edd70e..389f2fb4c 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -334,7 +334,7 @@ static int open_msglog_file(uschar *filename, int mode, uschar **error) { if (Ustrstr(filename, US"/../")) - log_write(0, LOG_MAIN|LOG_PANIC, + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); for (int i = 2; i > 0; i--) |