1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From 0d5d8fc918c4b999a2d5b025d94e25e43680377d Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:00:31 -0800
Subject: [PATCH 15/29] Security: Safeguard against relative names for msglog
files.
Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes:
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
---
src/deliver.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/deliver.c b/src/deliver.c
index d4ed8af08..279672ce0 100644
--- a/src/deliver.c
+++ b/src/deliver.c
@@ -331,6 +331,10 @@ open_msglog_file(uschar *filename, int mode, uschar **error)
{
int fd, i;
+if (Ustrstr(filename, US"/../"))
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "Attempt to open msglog file path with upward-traversal: '%s'", filename);
+
for (i = 2; i > 0; i--)
{
fd = Uopen(filename,
--
2.30.2
|
