diff options
| author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2020-11-21 22:41:28 +0100 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-05-27 21:30:36 +0200 |
| commit | 40b8be2e25abb7569a05c839f5d0ab6176307a75 (patch) | |
| tree | fa8567f5f752845ef0e7639a8556cc1cc0e5e29e | |
| parent | 5dad84609e49ce4c45d29ccb98b1b7b1f296d69e (diff) | |
| download | exim4-40b8be2e25abb7569a05c839f5d0ab6176307a75.tar.gz | |
SECURITY: Fix safeguard against upward traversal in msglog files.
Credits: Qualys
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
(cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)
| -rw-r--r-- | doc/doc-txt/ChangeLog | 2 | ||||
| -rw-r--r-- | src/src/deliver.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0e008c985..313dcbf7e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -294,6 +294,8 @@ PP/11 Fix security issue in BDAT state confusion. mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys. +HS/03 Die on "/../" in msglog file names + Exim version 4.94 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index ba2948dfd..cf8ab09eb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -334,7 +334,7 @@ static int open_msglog_file(uschar *filename, int mode, uschar **error) { if (Ustrstr(filename, US"/../")) - log_write(0, LOG_MAIN|LOG_PANIC, + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); for (int i = 2; i > 0; i--) |