From 0d5d8fc918c4b999a2d5b025d94e25e43680377d Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:00:31 -0800
Subject: [PATCH 15/29] Security: Safeguard against relative names for msglog
 files.

Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes:

3/ In src/deliver.c:

 333 static int
 334 open_msglog_file(uschar *filename, int mode, uschar **error)
 335 {
 336 if (Ustrstr(filename, US"/../"))
 337   log_write(0, LOG_MAIN|LOG_PANIC,
 338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
---
 src/deliver.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/deliver.c b/src/deliver.c
index d4ed8af08..279672ce0 100644
--- a/src/deliver.c
+++ b/src/deliver.c
@@ -331,6 +331,10 @@ open_msglog_file(uschar *filename, int mode, uschar **error)
 {
 int fd, i;
 
+if (Ustrstr(filename, US"/../"))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Attempt to open msglog file path with upward-traversal: '%s'", filename);
+
 for (i = 2; i > 0; i--)
   {
   fd = Uopen(filename,
-- 
2.30.2