diff options
Diffstat (limited to 'src/filter.c')
-rw-r--r-- | src/filter.c | 2607 |
1 files changed, 2607 insertions, 0 deletions
diff --git a/src/filter.c b/src/filter.c new file mode 100644 index 0000000..ad017e5 --- /dev/null +++ b/src/filter.c @@ -0,0 +1,2607 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) The Exim Maintainers 2020 - 2022 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ +/* See the file NOTICE for conditions of use and distribution. */ + + +/* Code for mail filtering functions. */ + +#include "exim.h" + + +/* Command arguments and left/right points in conditions can contain different +types of data, depending on the particular command or condition. Originally, +(void *) was used as "any old type", with casts, but this gives trouble and +warnings in some environments. So now it is done "properly", with a union. We +need to declare the structures first because some of them are recursive. */ + +struct filter_cmd; +struct condition_block; + +union argtypes { + struct string_item *a; + BOOL b; + struct condition_block *c; + struct filter_cmd *f; + int i; + const uschar *u; +}; + +/* Local structures used in this module */ + +typedef struct filter_cmd { + struct filter_cmd *next; + int command; + BOOL seen; + BOOL noerror; + union argtypes args[1]; +} filter_cmd; + +typedef struct condition_block { + struct condition_block *parent; + int type; + BOOL testfor; + union argtypes left; + union argtypes right; +} condition_block; + +/* Miscellaneous other declarations */ + +static uschar **error_pointer; +static const uschar *log_filename; +static int filter_options; +static int line_number; +static int expect_endif; +static int had_else_endif; +static int log_fd; +static int log_mode; +static int output_indent; +static BOOL filter_delivered; +static BOOL finish_obeyed; +static BOOL seen_force; +static BOOL seen_value; +static BOOL noerror_force; + +enum { had_neither, had_else, had_elif, had_endif }; + +static BOOL read_command_list(const uschar **, filter_cmd ***, BOOL); + + +/* The string arguments for the mail command. The header line ones (that are +permitted to include \n followed by white space) first, and then the body text +one (it can have \n anywhere). Then the file names and once_repeat, which may +not contain \n. */ + +static const char *mailargs[] = { /* "to" must be first, and */ + "to", /* "cc" and "bcc" must follow */ + "cc", + "bcc", + "from", + "reply_to", + "subject", + "extra_headers", /* miscellaneous added header lines */ + "text", + "file", + "log", + "once", + "once_repeat" +}; + +/* The count of string arguments */ + +#define MAILARGS_STRING_COUNT (nelem(mailargs)) + +/* The count of string arguments that are actually passed over as strings +(once_repeat is converted to an int). */ + +#define mailargs_string_passed (MAILARGS_STRING_COUNT - 1) + +/* This defines the offsets for the arguments; first the string ones, and +then the non-string ones. The order must be as above. */ + +enum { mailarg_index_to, + mailarg_index_cc, + mailarg_index_bcc, + mailarg_index_from, + mailarg_index_reply_to, + mailarg_index_subject, + mailarg_index_headers, /* misc headers must be last */ + mailarg_index_text, /* text is first after headers */ + mailarg_index_file, /* between text and expand are filenames */ + mailarg_index_log, + mailarg_index_once, + mailarg_index_once_repeat, /* a time string */ + mailarg_index_expand, /* first non-string argument */ + mailarg_index_return, + mailargs_total /* total number of arguments */ + }; + +/* Offsets in the data structure for the string arguments (note that +once_repeat isn't a string argument at this point.) */ + +static int reply_offsets[] = { /* must be in same order as above */ + offsetof(reply_item, to), + offsetof(reply_item, cc), + offsetof(reply_item, bcc), + offsetof(reply_item, from), + offsetof(reply_item, reply_to), + offsetof(reply_item, subject), + offsetof(reply_item, headers), + offsetof(reply_item, text), + offsetof(reply_item, file), + offsetof(reply_item, logfile), + offsetof(reply_item, oncelog), +}; + +/* Condition identities and names, with negated versions for some +of them. */ + +enum { cond_and, cond_or, cond_personal, cond_begins, cond_BEGINS, + cond_ends, cond_ENDS, cond_is, cond_IS, cond_matches, + cond_MATCHES, cond_contains, cond_CONTAINS, cond_delivered, + cond_above, cond_below, cond_errormsg, cond_firsttime, + cond_manualthaw, cond_foranyaddress }; + +static const char *cond_names[] = { + "and", "or", "personal", + "begins", "BEGINS", "ends", "ENDS", + "is", "IS", "matches", "MATCHES", "contains", + "CONTAINS", "delivered", "above", "below", "error_message", + "first_delivery", "manually_thawed", "foranyaddress" }; + +static const char *cond_not_names[] = { + "", "", "not personal", + "does not begin", "does not BEGIN", + "does not end", "does not END", + "is not", "IS not", "does not match", + "does not MATCH", "does not contain", "does not CONTAIN", + "not delivered", "not above", "not below", "not error_message", + "not first_delivery", "not manually_thawed", "not foranyaddress" }; + +/* Tables of binary condition words and their corresponding types. Not easy +to amalgamate with the above because of the different variants. */ + +static const char *cond_words[] = { + "BEGIN", + "BEGINS", + "CONTAIN", + "CONTAINS", + "END", + "ENDS", + "IS", + "MATCH", + "MATCHES", + "above", + "begin", + "begins", + "below", + "contain", + "contains", + "end", + "ends", + "is", + "match", + "matches"}; + +static int cond_word_count = nelem(cond_words); + +static int cond_types[] = { cond_BEGINS, cond_BEGINS, cond_CONTAINS, + cond_CONTAINS, cond_ENDS, cond_ENDS, cond_IS, cond_MATCHES, cond_MATCHES, + cond_above, cond_begins, cond_begins, cond_below, cond_contains, + cond_contains, cond_ends, cond_ends, cond_is, cond_matches, cond_matches }; + +/* Command identities: must be kept in step with the list of command words +and the list of expanded argument counts which follow. */ + +enum { add_command, defer_command, deliver_command, elif_command, else_command, + endif_command, finish_command, fail_command, freeze_command, + headers_command, if_command, logfile_command, logwrite_command, + mail_command, noerror_command, pipe_command, save_command, seen_command, + testprint_command, unseen_command, vacation_command }; + +static const char *command_list[] = { + "add", "defer", "deliver", "elif", "else", "endif", "finish", + "fail", "freeze", "headers", "if", "logfile", "logwrite", "mail", + "noerror", "pipe", "save", "seen", "testprint", "unseen", "vacation" +}; + +static int command_list_count = nelem(command_list); + +/* This table contains the number of expanded arguments in the bottom 4 bits. +If the top bit is set, it means that the default for the command is "seen". */ + +static uschar command_exparg_count[] = { + 2, /* add */ + 1, /* defer */ + 128+2, /* deliver */ + 0, /* elif */ + 0, /* else */ + 0, /* endif */ + 0, /* finish */ + 1, /* fail */ + 1, /* freeze */ + 1, /* headers */ + 0, /* if */ + 1, /* logfile */ + 1, /* logwrite */ + MAILARGS_STRING_COUNT, /* mail */ + 0, /* noerror */ + 128+0, /* pipe */ + 128+1, /* save */ + 0, /* seen */ + 1, /* testprint */ + 0, /* unseen */ + MAILARGS_STRING_COUNT /* vacation */ +}; + + + +/************************************************* +* Find next significant uschar * +*************************************************/ + +/* Function to skip over white space and, optionally, comments. + +Arguments: + ptr pointer to next character + comment_allowed if TRUE, comments (# to \n) are skipped + +Returns: pointer to next non-whitespace character +*/ + +static const uschar * +nextsigchar(const uschar *ptr, BOOL comment_allowed) +{ +for (;;) + { + while (isspace(*ptr)) + { + if (*ptr == '\n') line_number++; + ptr++; + } + if (comment_allowed && *ptr == '#') + { + while (*(++ptr) != '\n' && *ptr != 0); + continue; + } + else break; + } +return ptr; +} + + + +/************************************************* +* Read one word * +*************************************************/ + +/* The terminator is white space unless bracket is TRUE, in which +case ( and ) terminate. + +Arguments + ptr pointer to next character + buffer where to put the word + size size of buffer + bracket if TRUE, terminate on ( and ) as well as space + +Returns: pointer to the next significant character after the word +*/ + +static const uschar * +nextword(const uschar *ptr, uschar *buffer, int size, BOOL bracket) +{ +uschar *bp = buffer; +while (*ptr != 0 && !isspace(*ptr) && + (!bracket || (*ptr != '(' && *ptr != ')'))) + { + if (bp - buffer < size - 1) *bp++ = *ptr++; else + { + *error_pointer = string_sprintf("word is too long in line %d of " + "filter file (max = %d chars)", line_number, size); + break; + } + } +*bp = 0; +return nextsigchar(ptr, TRUE); +} + + + +/************************************************* +* Read one item * +*************************************************/ + +/* Might be a word, or might be a quoted string; in the latter case +do the escape stuff. + +Arguments: + ptr pointer to next character + buffer where to put the item + size size of buffer + bracket if TRUE, terminate non-quoted on ( and ) as well as space + +Returns: the next significant character after the item +*/ + +static const uschar * +nextitem(const uschar *ptr, uschar *buffer, int size, BOOL bracket) +{ +uschar *bp = buffer; +if (*ptr != '\"') return nextword(ptr, buffer, size, bracket); + +while (*++ptr && *ptr != '\"' && *ptr != '\n') + { + if (bp - buffer >= size - 1) + { + *error_pointer = string_sprintf("string is too long in line %d of " + "filter file (max = %d chars)", line_number, size); + break; + } + + if (*ptr != '\\') *bp++ = *ptr; else + { + if (isspace(ptr[1])) /* \<whitespace>NL<whitespace> ignored */ + { + const uschar *p = ptr + 1; + while (*p != '\n' && isspace(*p)) p++; + if (*p == '\n') + { + line_number++; + ptr = p; + while (ptr[1] != '\n' && isspace(ptr[1])) ptr++; + continue; + } + } + + *bp++ = string_interpret_escape(CUSS &ptr); + } + } + +if (*ptr == '\"') ptr++; + else if (*error_pointer == NULL) + *error_pointer = string_sprintf("quote missing at end of string " + "in line %d", line_number); + +*bp = 0; +return nextsigchar(ptr, TRUE); +} + + + + +/************************************************* +* Convert a string + K|M to a number * +*************************************************/ + +/* +Arguments: + s points to text string + OK set TRUE if a valid number was read + +Returns: the number, or 0 on error (with *OK FALSE) +*/ + +static int +get_number(const uschar *s, BOOL *ok) +{ +int value, count; +*ok = FALSE; +if (sscanf(CS s, "%i%n", &value, &count) != 1) return 0; +if (tolower(s[count]) == 'k') { value *= 1024; count++; } +if (tolower(s[count]) == 'm') { value *= 1024*1024; count++; } +while (isspace((s[count]))) count++; +if (s[count] != 0) return 0; +*ok = TRUE; +return value; +} + + + +/************************************************* +* Read one condition * +*************************************************/ + +/* A complete condition must be terminated by "then"; bracketed internal +conditions must be terminated by a closing bracket. They are read by calling +this function recursively. + +Arguments: + ptr points to start of condition + condition_block where to hang the created condition block + toplevel TRUE when called at the top level + +Returns: points to next character after "then" +*/ + +static const uschar * +read_condition(const uschar *ptr, condition_block **cond, BOOL toplevel) +{ +uschar buffer[1024]; +BOOL testfor = TRUE; +condition_block *current_parent = NULL; +condition_block **current = cond; + +*current = NULL; + +/* Loop to read next condition */ + +for (;;) + { + condition_block *c; + + /* reaching the end of the input is an error. */ + + if (!*ptr) + { + *error_pointer = US"\"then\" missing at end of filter file"; + break; + } + + /* Opening bracket at the start of a condition introduces a nested + condition, which must be terminated by a closing bracket. */ + + if (*ptr == '(') + { + ptr = read_condition(nextsigchar(ptr+1, TRUE), &c, FALSE); + if (*error_pointer != NULL) break; + if (*ptr != ')') + { + *error_pointer = string_sprintf("expected \")\" in line %d of " + "filter file", line_number); + break; + } + if (!testfor) + { + c->testfor = !c->testfor; + testfor = TRUE; + } + ptr = nextsigchar(ptr+1, TRUE); + } + + + /* Closing bracket at the start of a condition is an error. Give an + explicit message, as otherwise "unknown condition" would be confusing. */ + + else if (*ptr == ')') + { + *error_pointer = string_sprintf("unexpected \")\" in line %d of " + "filter file", line_number); + break; + } + + /* Otherwise we expect a word or a string. */ + + else + { + ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + + /* "Then" at the start of a condition is an error */ + + if (Ustrcmp(buffer, "then") == 0) + { + *error_pointer = string_sprintf("unexpected \"then\" near line %d of " + "filter file", line_number); + break; + } + + /* "Not" at the start of a condition negates the testing condition. */ + + if (Ustrcmp(buffer, "not") == 0) + { + testfor = !testfor; + continue; + } + + /* Build a condition block from the specific word. */ + + c = store_get(sizeof(condition_block), GET_UNTAINTED); + c->left.u = c->right.u = NULL; + c->testfor = testfor; + testfor = TRUE; + + /* Check for conditions that start with a keyword */ + + if (Ustrcmp(buffer, "delivered") == 0) c->type = cond_delivered; + else if (Ustrcmp(buffer, "error_message") == 0) c->type = cond_errormsg; + else if (Ustrcmp(buffer, "first_delivery") == 0) c->type = cond_firsttime; + else if (Ustrcmp(buffer, "manually_thawed") == 0) c->type = cond_manualthaw; + + /* Personal can be followed by any number of aliases */ + + else if (Ustrcmp(buffer, "personal") == 0) + { + c->type = cond_personal; + for (;;) + { + string_item *aa; + const uschar * saveptr = ptr; + ptr = nextword(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + if (Ustrcmp(buffer, "alias") != 0) + { + ptr = saveptr; + break; + } + ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + aa = store_get(sizeof(string_item), GET_UNTAINTED); + aa->text = string_copy(buffer); + aa->next = c->left.a; + c->left.a = aa; + } + } + + /* Foranyaddress must be followed by a string and a condition enclosed + in parentheses, which is handled as a subcondition. */ + + else if (Ustrcmp(buffer, "foranyaddress") == 0) + { + ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + if (*ptr != '(') + { + *error_pointer = string_sprintf("\"(\" expected after \"foranyaddress\" " + "near line %d of filter file", line_number); + break; + } + + c->type = cond_foranyaddress; + c->left.u = string_copy(buffer); + + ptr = read_condition(nextsigchar(ptr+1, TRUE), &(c->right.c), FALSE); + if (*error_pointer) break; + if (*ptr != ')') + { + *error_pointer = string_sprintf("expected \")\" in line %d of " + "filter file", line_number); + break; + } + ptr = nextsigchar(ptr+1, TRUE); + } + + /* If it's not a word we recognize, then it must be the lefthand + operand of one of the comparison words. */ + + else + { + int i; + const uschar *isptr = NULL; + + c->left.u = string_copy(buffer); + ptr = nextword(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + + /* Handle "does|is [not]", preserving the pointer after "is" in + case it isn't that, but the form "is <string>". */ + + if (strcmpic(buffer, US"does") == 0 || strcmpic(buffer, US"is") == 0) + { + if (buffer[0] == 'i') { c->type = cond_is; isptr = ptr; } + if (buffer[0] == 'I') { c->type = cond_IS; isptr = ptr; } + + ptr = nextword(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + if (strcmpic(buffer, US"not") == 0) + { + c->testfor = !c->testfor; + if (isptr) isptr = ptr; + ptr = nextword(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + } + } + + for (i = 0; i < cond_word_count; i++) + { + if (Ustrcmp(buffer, cond_words[i]) == 0) + { + c->type = cond_types[i]; + break; + } + } + + /* If an unknown word follows "is" or "is not" + it's actually the argument. Reset to read it. */ + + if (i >= cond_word_count) + { + if (!isptr) + { + *error_pointer = string_sprintf("unrecognized condition word \"%s\" " + "near line %d of filter file", buffer, line_number); + break; + } + ptr = isptr; + } + + /* Get the RH argument. */ + + ptr = nextitem(ptr, buffer, sizeof(buffer), TRUE); + if (*error_pointer) break; + c->right.u = string_copy(buffer); + } + } + + /* We have read some new condition and set it up in the condition block + c; point the current pointer at it, and then deal with what follows. */ + + *current = c; + + /* Closing bracket terminates if this is a lower-level condition. Otherwise + it is unexpected. */ + + if (*ptr == ')') + { + if (toplevel) + *error_pointer = string_sprintf("unexpected \")\" in line %d of " + "filter file", line_number); + break; + } + + /* Opening bracket following a condition is an error; give an explicit + message to make it clearer what is wrong. */ + + else if (*ptr == '(') + { + *error_pointer = string_sprintf("unexpected \"(\" in line %d of " + "filter file", line_number); + break; + } + + /* Otherwise the next thing must be one of the words "and", "or" or "then" */ + + else + { +// const uschar *saveptr = ptr; + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (*error_pointer) break; + + /* "Then" terminates a toplevel condition; otherwise a closing bracket + has been omitted. Put a string terminator at the start of "then" so + that reflecting the condition can be done when testing. */ + /*XXX This stops us doing a constification job in this file, unfortunately. + Comment it out and see if anything breaks. + With one addition down at DEFERFREEZEFAIL it passes the testsuite. */ + + if (Ustrcmp(buffer, "then") == 0) + { +// if (toplevel) *saveptr = 0; +// else + if (!toplevel) + *error_pointer = string_sprintf("missing \")\" at end of " + "condition near line %d of filter file", line_number); + break; + } + + /* "And" causes a new condition block to replace the one we have + just read, which becomes the left sub-condition. The current pointer + is reset to the pointer for the right sub-condition. We have to keep + track of the tree of sequential "ands", so as to traverse back up it + if an "or" is met. */ + + else if (Ustrcmp(buffer, "and") == 0) + { + condition_block * andc = store_get(sizeof(condition_block), GET_UNTAINTED); + andc->parent = current_parent; + andc->type = cond_and; + andc->testfor = TRUE; + andc->left.c = c; + andc->right.u = NULL; /* insurance */ + *current = andc; + current = &(andc->right.c); + current_parent = andc; + } + + /* "Or" is similar, but has to be done a bit more carefully to + ensure that "and" is more binding. If there's a parent set, we + are following a sequence of "and"s and must track back to their + start. */ + + else if (Ustrcmp(buffer, "or") == 0) + { + condition_block * orc = store_get(sizeof(condition_block), GET_UNTAINTED); + condition_block * or_parent = NULL; + + if (current_parent) + { + while (current_parent->parent && + current_parent->parent->type == cond_and) + current_parent = current_parent->parent; + + /* If the parent has a parent, it must be an "or" parent. */ + + if (current_parent->parent) + or_parent = current_parent->parent; + } + + orc->parent = or_parent; + if (!or_parent) *cond = orc; + else or_parent->right.c = orc; + orc->type = cond_or; + orc->testfor = TRUE; + orc->left.c = (current_parent == NULL)? c : current_parent; + orc->right.c = NULL; /* insurance */ + current = &(orc->right.c); + current_parent = orc; + } + + /* Otherwise there is a disaster */ + + else + { + *error_pointer = string_sprintf("\"and\" or \"or\" or \"%s\" " + "expected near line %d of filter file, but found \"%s\"", + toplevel? "then" : ")", line_number, buffer); + break; + } + } + } + +return nextsigchar(ptr, TRUE); +} + + + +/************************************************* +* Output the current indent * +*************************************************/ + +static void +indent(void) +{ +int i; +for (i = 0; i < output_indent; i++) debug_printf(" "); +} + + + +/************************************************* +* Condition printer: for debugging * +*************************************************/ + +/* +Arguments: + c the block at the top of the tree + toplevel TRUE at toplevel - stops overall brackets + +Returns: nothing +*/ + +static void +print_condition(condition_block *c, BOOL toplevel) +{ +const char *name = (c->testfor)? cond_names[c->type] : cond_not_names[c->type]; +switch(c->type) + { + case cond_personal: + case cond_delivered: + case cond_errormsg: + case cond_firsttime: + case cond_manualthaw: + debug_printf("%s", name); + break; + + case cond_is: + case cond_IS: + case cond_matches: + case cond_MATCHES: + case cond_contains: + case cond_CONTAINS: + case cond_begins: + case cond_BEGINS: + case cond_ends: + case cond_ENDS: + case cond_above: + case cond_below: + debug_printf("%s %s %s", c->left.u, name, c->right.u); + break; + + case cond_and: + if (!c->testfor) debug_printf("not ("); + print_condition(c->left.c, FALSE); + debug_printf(" %s ", cond_names[c->type]); + print_condition(c->right.c, FALSE); + if (!c->testfor) debug_printf(")"); + break; + + case cond_or: + if (!c->testfor) debug_printf("not ("); + else if (!toplevel) debug_printf("("); + print_condition(c->left.c, FALSE); + debug_printf(" %s ", cond_names[c->type]); + print_condition(c->right.c, FALSE); + if (!toplevel || !c->testfor) debug_printf(")"); + break; + + case cond_foranyaddress: + debug_printf("%s %s (", name, c->left.u); + print_condition(c->right.c, FALSE); + debug_printf(")"); + break; + } +} + + + + +/************************************************* +* Read one filtering command * +*************************************************/ + +/* +Arguments: + pptr points to pointer to first character of command; the pointer + is updated to point after the last character read + lastcmdptr points to pointer to pointer to last command; used for hanging + on the newly read command + +Returns: TRUE if command successfully read, else FALSE +*/ + +static BOOL +read_command(const uschar **pptr, filter_cmd ***lastcmdptr) +{ +int command, i, cmd_bit; +filter_cmd *new, **newlastcmdptr; +BOOL yield = TRUE; +BOOL was_seen_or_unseen = FALSE; +BOOL was_noerror = FALSE; +uschar buffer[1024]; +const uschar *ptr = *pptr; +const uschar *saveptr; +uschar *fmsg = NULL; + +/* Read the next word and find which command it is. Command words are normally +terminated by white space, but there are two exceptions, which are the "if" and +"elif" commands. We must allow for them to be terminated by an opening bracket, +as brackets are allowed in conditions and users will expect not to require +white space here. */ + +*buffer = '\0'; /* compiler quietening */ + +if (Ustrncmp(ptr, "if(", 3) == 0) + { + Ustrcpy(buffer, US"if"); + ptr += 2; + } +else if (Ustrncmp(ptr, "elif(", 5) == 0) + { + Ustrcpy(buffer, US"elif"); + ptr += 4; + } +else + { + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (*error_pointer) return FALSE; + } + +for (command = 0; command < command_list_count; command++) + if (Ustrcmp(buffer, command_list[command]) == 0) break; + +/* Handle the individual commands */ + +switch (command) + { + /* Add takes two arguments, separated by the word "to". Headers has two + arguments, but the first must be "add", "remove", or "charset", and it gets + stored in the second argument slot. Neither may be preceded by seen, unseen + or noerror. */ + + case add_command: + case headers_command: + if (seen_force || noerror_force) + { + *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" " + "found before an \"%s\" command near line %d", + command_list[command], line_number); + yield = FALSE; + } + /* Fall through */ + + /* Logwrite, logfile, pipe, and testprint all take a single argument, save + and logfile can have an option second argument for the mode, and deliver can + have "errors_to <address>" in a system filter, or in a user filter if the + address is the current one. */ + + case deliver_command: + case logfile_command: + case logwrite_command: + case pipe_command: + case save_command: + case testprint_command: + + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (!*buffer) + *error_pointer = string_sprintf("\"%s\" requires an argument " + "near line %d of filter file", command_list[command], line_number); + + if (*error_pointer) yield = FALSE; else + { + union argtypes argument, second_argument; + + argument.u = second_argument.u = NULL; + + if (command == add_command) + { + argument.u = string_copy(buffer); + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (!*buffer || Ustrcmp(buffer, "to") != 0) + *error_pointer = string_sprintf("\"to\" expected in \"add\" command " + "near line %d of filter file", line_number); + else + { + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (!*buffer) + *error_pointer = string_sprintf("value missing after \"to\" " + "near line %d of filter file", line_number); + else second_argument.u = string_copy(buffer); + } + } + + else if (command == headers_command) + { + if (Ustrcmp(buffer, "add") == 0) + second_argument.b = TRUE; + else + if (Ustrcmp(buffer, "remove") == 0) second_argument.b = FALSE; + else + if (Ustrcmp(buffer, "charset") == 0) + second_argument.b = TRUE_UNSET; + else + { + *error_pointer = string_sprintf("\"add\", \"remove\", or \"charset\" " + "expected after \"headers\" near line %d of filter file", + line_number); + yield = FALSE; + } + + if (!f.system_filtering && second_argument.b != TRUE_UNSET) + { + *error_pointer = string_sprintf("header addition and removal is " + "available only in system filters: near line %d of filter file", + line_number); + yield = FALSE; + break; + } + + if (yield) + { + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (!*buffer) + *error_pointer = string_sprintf("value missing after \"add\", " + "\"remove\", or \"charset\" near line %d of filter file", + line_number); + else argument.u = string_copy(buffer); + } + } + + /* The argument for the logwrite command must end in a newline, and the save + and logfile commands can have an optional mode argument. The deliver + command can have an optional "errors_to <address>" for a system filter, + or for a user filter if the address is the user's address. Accept the + syntax here - the check is later. */ + + else + { + if (command == logwrite_command) + { + int len = Ustrlen(buffer); + if (len == 0 || buffer[len-1] != '\n') Ustrcat(buffer, US"\n"); + } + + argument.u = string_copy(buffer); + + if (command == save_command || command == logfile_command) + { + if (isdigit(*ptr)) + { + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + second_argument.i = (int)Ustrtol(buffer, NULL, 8); + } + else second_argument.i = -1; + } + + else if (command == deliver_command) + { + const uschar *save_ptr = ptr; + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (Ustrcmp(buffer, "errors_to") == 0) + { + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + second_argument.u = string_copy(buffer); + } + else ptr = save_ptr; + } + } + + /* Set up the command block. Seen defaults TRUE for delivery commands, + FALSE for logging commands, and it doesn't matter for testprint, as + that doesn't change the "delivered" status. */ + + if (*error_pointer) yield = FALSE; + else + { + new = store_get(sizeof(filter_cmd) + sizeof(union argtypes), GET_UNTAINTED); + new->next = NULL; + **lastcmdptr = new; + *lastcmdptr = &(new->next); + new->command = command; + new->seen = seen_force? seen_value : command_exparg_count[command] >= 128; + new->noerror = noerror_force; + new->args[0] = argument; + new->args[1] = second_argument; + } + } + break; + + + /* Elif, else and endif just set a flag if expected. */ + + case elif_command: + case else_command: + case endif_command: + if (seen_force || noerror_force) + { + *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" " + "near line %d is not followed by a command", line_number); + yield = FALSE; + } + + if (expect_endif > 0) + had_else_endif = (command == elif_command)? had_elif : + (command == else_command)? had_else : had_endif; + else + { + *error_pointer = string_sprintf("unexpected \"%s\" command near " + "line %d of filter file", buffer, line_number); + yield = FALSE; + } + break; + + + /* Defer, freeze, and fail are available only if permitted. */ + + case defer_command: + cmd_bit = RDO_DEFER; + goto DEFER_FREEZE_FAIL; + + case fail_command: + cmd_bit = RDO_FAIL; + goto DEFER_FREEZE_FAIL; + + case freeze_command: + cmd_bit = RDO_FREEZE; + + DEFER_FREEZE_FAIL: + if ((filter_options & cmd_bit) == 0) + { + *error_pointer = string_sprintf("filtering command \"%s\" is disabled: " + "near line %d of filter file", buffer, line_number); + yield = FALSE; + break; + } + + /* A text message can be provided after the "text" keyword, or + as a string in quotes. */ + + saveptr = ptr; + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (*saveptr != '\"' && (!*buffer || Ustrcmp(buffer, "text") != 0)) + { + ptr = saveptr; + fmsg = US""; + } + else + { + if (*saveptr != '\"') + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + fmsg = string_copy(buffer); + } + + /* Drop through and treat as "finish", but never set "seen". */ + + seen_value = FALSE; + + /* Finish has no arguments; fmsg defaults to NULL */ + + case finish_command: + new = store_get(sizeof(filter_cmd), GET_UNTAINTED); + new->next = NULL; + **lastcmdptr = new; + *lastcmdptr = &(new->next); + new->command = command; + new->seen = seen_force ? seen_value : FALSE; + new->args[0].u = fmsg; + break; + + + /* Seen, unseen, and noerror are not allowed before if, which takes a + condition argument and then and else sub-commands. */ + + case if_command: + if (seen_force || noerror_force) + { + *error_pointer = string_sprintf("\"seen\", \"unseen\", or \"noerror\" " + "found before an \"if\" command near line %d", + line_number); + yield = FALSE; + } + + /* Set up the command block for if */ + + new = store_get(sizeof(filter_cmd) + 4 * sizeof(union argtypes), GET_UNTAINTED); + new->next = NULL; + **lastcmdptr = new; + *lastcmdptr = &new->next; + new->command = command; + new->seen = FALSE; + new->args[0].u = NULL; + new->args[1].u = new->args[2].u = NULL; + new->args[3].u = ptr; + + /* Read the condition */ + + ptr = read_condition(ptr, &new->args[0].c, TRUE); + if (*error_pointer) { yield = FALSE; break; } + + /* Read the commands to be obeyed if the condition is true */ + + newlastcmdptr = &(new->args[1].f); + if (!read_command_list(&ptr, &newlastcmdptr, TRUE)) yield = FALSE; + + /* If commands were successfully read, handle the various possible + terminators. There may be a number of successive "elif" sections. */ + + else + { + while (had_else_endif == had_elif) + { + filter_cmd *newnew = + store_get(sizeof(filter_cmd) + 4 * sizeof(union argtypes), GET_UNTAINTED); + new->args[2].f = newnew; + new = newnew; + new->next = NULL; + new->command = command; + new->seen = FALSE; + new->args[0].u = NULL; + new->args[1].u = new->args[2].u = NULL; + new->args[3].u = ptr; + + ptr = read_condition(ptr, &new->args[0].c, TRUE); + if (*error_pointer) { yield = FALSE; break; } + newlastcmdptr = &(new->args[1].f); + if (!read_command_list(&ptr, &newlastcmdptr, TRUE)) + yield = FALSE; + } + + if (yield == FALSE) break; + + /* Handle termination by "else", possibly following one or more + "elsif" sections. */ + + if (had_else_endif == had_else) + { + newlastcmdptr = &(new->args[2].f); + if (!read_command_list(&ptr, &newlastcmdptr, TRUE)) + yield = FALSE; + else if (had_else_endif != had_endif) + { + *error_pointer = string_sprintf("\"endif\" missing near line %d of " + "filter file", line_number); + yield = FALSE; + } + } + + /* Otherwise the terminator was "endif" - this is checked by + read_command_list(). The pointer is already set to NULL. */ + } + + /* Reset the terminator flag. */ + + had_else_endif = had_neither; + break; + + + /* The mail & vacation commands have a whole slew of keyworded arguments. + The final argument values are the file expand and return message booleans, + whose offsets are defined in mailarg_index_{expand,return}. Although they + are logically booleans, because they are stored in a uschar * value, we use + NULL and not FALSE, to keep 64-bit compilers happy. */ + + case mail_command: + case vacation_command: + new = store_get(sizeof(filter_cmd) + mailargs_total * sizeof(union argtypes), GET_UNTAINTED); + new->next = NULL; + new->command = command; + new->seen = seen_force ? seen_value : FALSE; + new->noerror = noerror_force; + for (i = 0; i < mailargs_total; i++) new->args[i].u = NULL; + + /* Read keyword/value pairs until we hit one that isn't. The data + must contain only printing chars plus tab, though the "text" value + can also contain newlines. The "file" keyword can be preceded by the + word "expand", and "return message" has no data. */ + + for (;;) + { + const uschar *saveptr = ptr; + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (*error_pointer) + { yield = FALSE; break; } + + /* Ensure "return" is followed by "message"; that's a complete option */ + + if (Ustrcmp(buffer, "return") == 0) + { + new->args[mailarg_index_return].u = US""; /* not NULL => TRUE */ + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (Ustrcmp(buffer, "message") != 0) + { + *error_pointer = string_sprintf("\"return\" not followed by \"message\" " + " near line %d of filter file", line_number); + yield = FALSE; + break; + } + continue; + } + + /* Ensure "expand" is followed by "file", then fall through to process the + file keyword. */ + + if (Ustrcmp(buffer, "expand") == 0) + { + new->args[mailarg_index_expand].u = US""; /* not NULL => TRUE */ + ptr = nextword(ptr, buffer, sizeof(buffer), FALSE); + if (Ustrcmp(buffer, "file") != 0) + { + *error_pointer = string_sprintf("\"expand\" not followed by \"file\" " + " near line %d of filter file", line_number); + yield = FALSE; + break; + } + } + + /* Scan for the keyword */ + + for (i = 0; i < MAILARGS_STRING_COUNT; i++) + if (Ustrcmp(buffer, mailargs[i]) == 0) break; + + /* Not found keyword; assume end of this command */ + + if (i >= MAILARGS_STRING_COUNT) + { + ptr = saveptr; + break; + } + + /* Found keyword, read the data item */ + + ptr = nextitem(ptr, buffer, sizeof(buffer), FALSE); + if (*error_pointer) + { yield = FALSE; break; } + else new->args[i].u = string_copy(buffer); + } + + /* If this is the vacation command, apply some default settings to + some of the arguments. */ + + if (command == vacation_command) + { + if (!new->args[mailarg_index_file].u) + { + new->args[mailarg_index_file].u = string_copy(US".vacation.msg"); + new->args[mailarg_index_expand].u = US""; /* not NULL => TRUE */ + } + if (!new->args[mailarg_index_log].u) + new->args[mailarg_index_log].u = string_copy(US".vacation.log"); + if (!new->args[mailarg_index_once].u) + new->args[mailarg_index_once].u = string_copy(US".vacation"); + if (!new->args[mailarg_index_once_repeat].u) + new->args[mailarg_index_once_repeat].u = string_copy(US"7d"); + if (!new->args[mailarg_index_subject].u) + new->args[mailarg_index_subject].u = string_copy(US"On vacation"); + } + + /* Join the address on to the chain of generated addresses */ + + **lastcmdptr = new; + *lastcmdptr = &(new->next); + break; + + + /* Seen and unseen just set flags */ + + case seen_command: + case unseen_command: + if (!*ptr) + { + *error_pointer = string_sprintf("\"seen\" or \"unseen\" " + "near line %d is not followed by a command", line_number); + yield = FALSE; + } + if (seen_force) + { + *error_pointer = string_sprintf("\"seen\" or \"unseen\" repeated " + "near line %d", line_number); + yield = FALSE; + } + seen_value = (command == seen_command); + seen_force = TRUE; + was_seen_or_unseen = TRUE; + break; + + + /* So does noerror */ + + case noerror_command: + if (!*ptr) + { + *error_pointer = string_sprintf("\"noerror\" " + "near line %d is not followed by a command", line_number); + yield = FALSE; + } + noerror_force = TRUE; + was_noerror = TRUE; + break; + + + /* Oops */ + + default: + *error_pointer = string_sprintf("unknown filtering command \"%s\" " + "near line %d of filter file", buffer, line_number); + yield = FALSE; + break; + } + +if (!was_seen_or_unseen && !was_noerror) + { + seen_force = FALSE; + noerror_force = FALSE; + } + +*pptr = ptr; +return yield; +} + + + +/************************************************* +* Read a list of commands * +*************************************************/ + +/* If conditional is TRUE, the list must be terminated +by the words "else" or "endif". + +Arguments: + pptr points to pointer to next character; the pointer is updated + lastcmdptr points to pointer to pointer to previously-read command; used + for hanging on the new command + conditional TRUE if this command is the subject of a condition + +Returns: TRUE on success +*/ + +static BOOL +read_command_list(const uschar **pptr, filter_cmd ***lastcmdptr, BOOL conditional) +{ +if (conditional) expect_endif++; +had_else_endif = had_neither; +while (**pptr && had_else_endif == had_neither) + { + if (!read_command(pptr, lastcmdptr)) return FALSE; + *pptr = nextsigchar(*pptr, TRUE); + } +if (conditional) + { + expect_endif--; + if (had_else_endif == had_neither) + { + *error_pointer = US"\"endif\" missing at end of filter file"; + return FALSE; + } + } +return TRUE; +} + + + + +/************************************************* +* Test a condition * +*************************************************/ + +/* +Arguments: + c points to the condition block; c->testfor indicated whether + it's a positive or negative condition + toplevel TRUE if called from "if" directly; FALSE otherwise + +Returns: TRUE if the condition is met +*/ + +static BOOL +test_condition(condition_block *c, BOOL toplevel) +{ +BOOL yield = FALSE; +const uschar *exp[2], * p, * pp; +int val[2]; +int i; + +if (c == NULL) return TRUE; /* does this ever occur? */ + +switch (c->type) + { + case cond_and: + yield = test_condition(c->left.c, FALSE) && + *error_pointer == NULL && + test_condition(c->right.c, FALSE); + break; + + case cond_or: + yield = test_condition(c->left.c, FALSE) || + (*error_pointer == NULL && + test_condition(c->right.c, FALSE)); + break; + + /* The personal test is meaningless in a system filter. The tests are now in + a separate function (so Sieve can use them). However, an Exim filter does not + scan Cc: (hence the FALSE argument). */ + + case cond_personal: + yield = f.system_filtering? FALSE : filter_personal(c->left.a, FALSE); + break; + + case cond_delivered: + yield = filter_delivered; + break; + + /* Only TRUE if a message is actually being processed; FALSE for address + testing and verification. */ + + case cond_errormsg: + yield = message_id[0] != 0 && + (sender_address == NULL || sender_address[0] == 0); + break; + + /* Only FALSE if a message is actually being processed; TRUE for address + and filter testing and verification. */ + + case cond_firsttime: + yield = filter_test != FTEST_NONE || message_id[0] == 0 || f.deliver_firsttime; + break; + + /* Only TRUE if a message is actually being processed; FALSE for address + testing and verification. */ + + case cond_manualthaw: + yield = message_id[0] != 0 && f.deliver_manual_thaw; + break; + + /* The foranyaddress condition loops through a list of addresses */ + + case cond_foranyaddress: + p = c->left.u; + if (!(pp = expand_cstring(p))) + { + *error_pointer = string_sprintf("failed to expand \"%s\" in " + "filter file: %s", p, expand_string_message); + return FALSE; + } + + yield = FALSE; + f.parse_allow_group = TRUE; /* Allow group syntax */ + + while (*pp) + { + uschar *error; + int start, end, domain; + uschar * s; + + p = parse_find_address_end(pp, FALSE); + s = string_copyn(pp, p - pp); + + filter_thisaddress = + parse_extract_address(s, &error, &start, &end, &domain, FALSE); + + if (filter_thisaddress) + { + if ((filter_test != FTEST_NONE && debug_selector != 0) || + (debug_selector & D_filter) != 0) + { + indent(); + debug_printf_indent("Extracted address %s\n", filter_thisaddress); + } + yield = test_condition(c->right.c, FALSE); + } + + if (yield) break; + if (!*p) break; + pp = p + 1; + } + + f.parse_allow_group = FALSE; /* Reset group syntax flags */ + f.parse_found_group = FALSE; + break; + + /* All other conditions have left and right values that need expanding; + on error, it doesn't matter what value is returned. */ + + default: + p = c->left.u; + for (i = 0; i < 2; i++) + { + if (!(exp[i] = expand_cstring(p))) + { + *error_pointer = string_sprintf("failed to expand \"%s\" in " + "filter file: %s", p, expand_string_message); + return FALSE; + } + p = c->right.u; + } + + /* Inner switch for the different cases */ + + switch(c->type) + { + case cond_is: + yield = strcmpic(exp[0], exp[1]) == 0; + break; + + case cond_IS: + yield = Ustrcmp(exp[0], exp[1]) == 0; + break; + + case cond_contains: + yield = strstric_c(exp[0], exp[1], FALSE) != NULL; + break; + + case cond_CONTAINS: + yield = Ustrstr(exp[0], exp[1]) != NULL; + break; + + case cond_begins: + yield = strncmpic(exp[0], exp[1], Ustrlen(exp[1])) == 0; + break; + + case cond_BEGINS: + yield = Ustrncmp(exp[0], exp[1], Ustrlen(exp[1])) == 0; + break; + + case cond_ends: + case cond_ENDS: + { + int len = Ustrlen(exp[1]); + const uschar *s = exp[0] + Ustrlen(exp[0]) - len; + yield = s < exp[0] + ? FALSE + : (c->type == cond_ends ? strcmpic(s, exp[1]) : Ustrcmp(s, exp[1])) == 0; + } + break; + + case cond_matches: + case cond_MATCHES: + { + const pcre2_code *re; + int err; + PCRE2_SIZE offset; + + if ((filter_test != FTEST_NONE && debug_selector != 0) || + (debug_selector & D_filter) != 0) + { + debug_printf_indent("Match expanded arguments:\n"); + debug_printf_indent(" Subject = %s\n", exp[0]); + debug_printf_indent(" Pattern = %s\n", exp[1]); + } + + if (!(re = pcre2_compile((PCRE2_SPTR)exp[1], PCRE2_ZERO_TERMINATED, + PCRE_COPT | (c->type == cond_matches ? PCRE2_CASELESS : 0), + &err, &offset, pcre_cmp_ctx))) + { + uschar errbuf[128]; + pcre2_get_error_message(err, errbuf, sizeof(errbuf)); + *error_pointer = string_sprintf("error while compiling " + "regular expression \"%s\": %s at offset %ld", + exp[1], errbuf, (long)offset); + return FALSE; + } + + yield = regex_match_and_setup(re, exp[0], PCRE_EOPT, -1); + break; + } + + /* For above and below, convert the strings to numbers */ + + case cond_above: + case cond_below: + for (i = 0; i < 2; i++) + { + val[i] = get_number(exp[i], &yield); + if (!yield) + { + *error_pointer = string_sprintf("malformed numerical string \"%s\"", + exp[i]); + return FALSE; + } + } + yield = (c->type == cond_above)? (val[0] > val[1]) : (val[0] < val[1]); + break; + } + break; + } + +if ((filter_test != FTEST_NONE && debug_selector != 0) || + (debug_selector & D_filter) != 0) + { + indent(); + debug_printf_indent("%sondition is %s: ", + toplevel? "C" : "Sub-c", + (yield == c->testfor)? "true" : "false"); + print_condition(c, TRUE); + debug_printf_indent("\n"); + } + +return yield == c->testfor; +} + + + +/************************************************* +* Interpret chain of commands * +*************************************************/ + +/* In testing state, just say what would be done rather than doing it. The +testprint command just expands and outputs its argument in testing state, and +does nothing otherwise. + +Arguments: + commands points to chain of commands to interpret + generated where to hang newly-generated addresses + +Returns: FF_DELIVERED success, a significant action was taken + FF_NOTDELIVERED success, no significant action + FF_DEFER defer requested + FF_FAIL fail requested + FF_FREEZE freeze requested + FF_ERROR there was a problem +*/ + +static int +interpret_commands(filter_cmd *commands, address_item **generated) +{ +const uschar *s; +int mode; +address_item *addr; +BOOL condition_value; + +while (commands) + { + int ff_ret; + uschar *fmsg, *ff_name; + const uschar *expargs[MAILARGS_STRING_COUNT]; + + int i, n[2]; + + /* Expand the relevant number of arguments for the command that are + not NULL. */ + + for (i = 0; i < (command_exparg_count[commands->command] & 15); i++) + { + const uschar *ss = commands->args[i].u; + if (!ss) + expargs[i] = NULL; + else if (!(expargs[i] = expand_cstring(ss))) + { + *error_pointer = string_sprintf("failed to expand \"%s\" in " + "%s command: %s", ss, command_list[commands->command], + expand_string_message); + return FF_ERROR; + } + } + + /* Now switch for each command, setting the "delivered" flag if any of them + have "seen" set. */ + + if (commands->seen) filter_delivered = TRUE; + + switch(commands->command) + { + case add_command: + for (i = 0; i < 2; i++) + { + const uschar *ss = expargs[i]; + uschar *end; + + if (i == 1 && (*ss++ != 'n' || ss[1] != 0)) + { + *error_pointer = string_sprintf("unknown variable \"%s\" in \"add\" " + "command", expargs[i]); + return FF_ERROR; + } + + /* Allow for "--" at the start of the value (from -$n0) for example */ + if (i == 0) while (ss[0] == '-' && ss[1] == '-') ss += 2; + + n[i] = (int)Ustrtol(ss, &end, 0); + if (*end != 0) + { + *error_pointer = string_sprintf("malformed number \"%s\" in \"add\" " + "command", ss); + return FF_ERROR; + } + } + + filter_n[n[1]] += n[0]; + if (filter_test != FTEST_NONE) printf("Add %d to n%d\n", n[0], n[1]); + break; + + /* A deliver command's argument must be a valid address. Its optional + second argument (system filter only) must also be a valid address. */ + + case deliver_command: + for (i = 0; i < 2; i++) + { + s = expargs[i]; + if (s != NULL) + { + int start, end, domain; + uschar *error; + uschar *ss = parse_extract_address(s, &error, &start, &end, &domain, + FALSE); + if (ss) + expargs[i] = filter_options & RDO_REWRITE + ? rewrite_address(ss, TRUE, FALSE, global_rewrite_rules, + rewrite_existflags) + : rewrite_address_qualify(ss, TRUE); + else + { + *error_pointer = string_sprintf("malformed address \"%s\" in " + "filter file: %s", s, error); + return FF_ERROR; + } + } + } + + /* Stick the errors address into a simple variable, as it will + be referenced a few times. Check that the caller is permitted to + specify it. */ + + s = expargs[1]; + + if (s != NULL && !f.system_filtering) + { + uschar *ownaddress = expand_string(US"$local_part@$domain"); + if (strcmpic(ownaddress, s) != 0) + { + *error_pointer = US"errors_to must point to the caller's address"; + return FF_ERROR; + } + } + + /* Test case: report what would happen */ + + if (filter_test != FTEST_NONE) + { + indent(); + printf("%seliver message to: %s%s%s%s\n", + (commands->seen)? "D" : "Unseen d", + expargs[0], + commands->noerror? " (noerror)" : "", + (s != NULL)? " errors_to " : "", + (s != NULL)? s : US""); + } + + /* Real case. */ + + else + { + DEBUG(D_filter) debug_printf_indent("Filter: %sdeliver message to: %s%s%s%s\n", + (commands->seen)? "" : "unseen ", + expargs[0], + commands->noerror? " (noerror)" : "", + (s != NULL)? " errors_to " : "", + (s != NULL)? s : US""); + + /* Create the new address and add it to the chain, setting the + af_ignore_error flag if necessary, and the errors address, which can be + set in a system filter and to the local address in user filters. */ + + addr = deliver_make_addr(US expargs[0], TRUE); /* TRUE => copy s, so deconst ok */ + addr->prop.errors_address = !s ? NULL : string_copy(s); /* Default is NULL */ + if (commands->noerror) addr->prop.ignore_error = TRUE; + addr->next = *generated; + *generated = addr; + } + break; + + case save_command: + s = expargs[0]; + mode = commands->args[1].i; + + /* Test case: report what would happen */ + + if (filter_test != FTEST_NONE) + { + indent(); + if (mode < 0) + printf("%save message to: %s%s\n", (commands->seen)? + "S" : "Unseen s", s, commands->noerror? " (noerror)" : ""); + else + printf("%save message to: %s %04o%s\n", (commands->seen)? + "S" : "Unseen s", s, mode, commands->noerror? " (noerror)" : ""); + } + + /* Real case: Ensure save argument starts with / if there is a home + directory to prepend. */ + + else + { + if (s[0] != '/' && (filter_options & RDO_PREPEND_HOME) != 0 && + deliver_home != NULL && deliver_home[0] != 0) + s = string_sprintf("%s/%s", deliver_home, s); + DEBUG(D_filter) debug_printf_indent("Filter: %ssave message to: %s%s\n", + (commands->seen)? "" : "unseen ", s, + commands->noerror? " (noerror)" : ""); + + /* Create the new address and add it to the chain, setting the + af_pfr and af_file flags, the af_ignore_error flag if necessary, and the + mode value. */ + + addr = deliver_make_addr(US s, TRUE); /* TRUE => copy s, so deconst ok */ + setflag(addr, af_pfr); + setflag(addr, af_file); + if (commands->noerror) addr->prop.ignore_error = TRUE; + addr->mode = mode; + addr->next = *generated; + *generated = addr; + } + break; + + case pipe_command: + s = string_copy(commands->args[0].u); + if (filter_test != FTEST_NONE) + { + indent(); + printf("%sipe message to: %s%s\n", (commands->seen)? + "P" : "Unseen p", s, commands->noerror? " (noerror)" : ""); + } + else /* Ensure pipe command starts with | */ + { + DEBUG(D_filter) debug_printf_indent("Filter: %spipe message to: %s%s\n", + commands->seen ? "" : "unseen ", s, + commands->noerror ? " (noerror)" : ""); + if (s[0] != '|') s = string_sprintf("|%s", s); + + /* Create the new address and add it to the chain, setting the + af_ignore_error flag if necessary. Set the af_expand_pipe flag so that + each command argument is expanded in the transport after the command + has been split up into separate arguments. */ + + addr = deliver_make_addr(US s, TRUE); /* TRUE => copy s, so deconst ok */ + setflag(addr, af_pfr); + setflag(addr, af_expand_pipe); + if (commands->noerror) addr->prop.ignore_error = TRUE; + addr->next = *generated; + *generated = addr; + + /* If there are any numeric variables in existence (e.g. after a regex + condition), or if $thisaddress is set, take a copy for use in the + expansion. Note that we can't pass NULL for filter_thisaddress, because + NULL terminates the list. */ + + if (expand_nmax >= 0 || filter_thisaddress != NULL) + { + int ecount = expand_nmax >= 0 ? expand_nmax : -1; + uschar ** ss = store_get(sizeof(uschar *) * (ecount + 3), GET_UNTAINTED); + + addr->pipe_expandn = ss; + if (!filter_thisaddress) filter_thisaddress = US""; + *ss++ = string_copy(filter_thisaddress); + for (int i = 0; i <= expand_nmax; i++) + *ss++ = string_copyn(expand_nstring[i], expand_nlength[i]); + *ss = NULL; + } + } + break; + + /* Set up the file name and mode, and close any previously open + file. */ + + case logfile_command: + log_mode = commands->args[1].i; + if (log_mode == -1) log_mode = 0600; + if (log_fd >= 0) + { + (void)close(log_fd); + log_fd = -1; + } + log_filename = expargs[0]; + if (filter_test != FTEST_NONE) + { + indent(); + printf("%sogfile %s\n", (commands->seen)? "Seen l" : "L", log_filename); + } + break; + + case logwrite_command: + s = expargs[0]; + + if (filter_test != FTEST_NONE) + { + indent(); + printf("%sogwrite \"%s\"\n", (commands->seen)? "Seen l" : "L", + string_printing(s)); + } + + /* Attempt to write to a log file only if configured as permissible. + Logging may be forcibly skipped for verifying or testing. */ + + else if ((filter_options & RDO_LOG) != 0) /* Locked out */ + { + DEBUG(D_filter) + debug_printf_indent("filter log command aborted: euid=%ld\n", + (long int)geteuid()); + *error_pointer = US"logwrite command forbidden"; + return FF_ERROR; + } + else if ((filter_options & RDO_REALLOG) != 0) + { + int len; + DEBUG(D_filter) debug_printf_indent("writing filter log as euid %ld\n", + (long int)geteuid()); + if (log_fd < 0) + { + if (!log_filename) + { + *error_pointer = US"attempt to obey \"logwrite\" command " + "without a previous \"logfile\""; + return FF_ERROR; + } + log_fd = Uopen(log_filename, O_CREAT|O_APPEND|O_WRONLY, log_mode); + if (log_fd < 0) + { + *error_pointer = string_open_failed("filter log file \"%s\"", + log_filename); + return FF_ERROR; + } + } + len = Ustrlen(s); + if (write(log_fd, s, len) != len) + { + *error_pointer = string_sprintf("write error on file \"%s\": %s", + log_filename, strerror(errno)); + return FF_ERROR; + } + } + else + DEBUG(D_filter) + debug_printf_indent("skipping logwrite (verifying or testing)\n"); + break; + + /* Header addition and removal is available only in the system filter. The + command is rejected at parse time otherwise. However "headers charset" is + always permitted. */ + + case headers_command: + { + int subtype = commands->args[1].i; + s = expargs[0]; + + if (filter_test != FTEST_NONE) + printf("Headers %s \"%s\"\n", + subtype == TRUE ? "add" + : subtype == FALSE ? "remove" + : "charset", + string_printing(s)); + + if (subtype == TRUE) + { + while (isspace(*s)) s++; + if (*s) + { + header_add(htype_other, "%s%s", s, + s[Ustrlen(s)-1] == '\n' ? "" : "\n"); + header_last->type = header_checkname(header_last, FALSE); + if (header_last->type >= 'a') header_last->type = htype_other; + } + } + + else if (subtype == FALSE) + { + int sep = 0; + const uschar * list = s; + + for (uschar * ss; ss = string_nextinlist(&list, &sep, NULL, 0); ) + header_remove(0, ss); + } + + /* This setting lasts only while the filter is running; on exit, the + variable is reset to the previous value. */ + + else headers_charset = s; + } + break; + + /* Defer, freeze, and fail are available only when explicitly permitted. + These commands are rejected at parse time otherwise. The message can get + very long by the inclusion of message headers; truncate if it is, and also + ensure printing characters so as not to mess up log files. */ + + case defer_command: + ff_name = US"defer"; + ff_ret = FF_DEFER; + goto DEFERFREEZEFAIL; + + case fail_command: + ff_name = US"fail"; + ff_ret = FF_FAIL; + goto DEFERFREEZEFAIL; + + case freeze_command: + ff_name = US"freeze"; + ff_ret = FF_FREEZE; + + DEFERFREEZEFAIL: + *error_pointer = fmsg = US string_printing(Ustrlen(expargs[0]) > 1024 + ? string_sprintf("%.1000s ... (truncated)", expargs[0]) + : string_copy(expargs[0])); + for(uschar * s = fmsg; *s; s++) + if (!s[1] && *s == '\n') { *s = '\0'; break; } /* drop trailing newline */ + + if (filter_test != FTEST_NONE) + { + indent(); + printf("%c%s text \"%s\"\n", toupper(ff_name[0]), ff_name+1, fmsg); + } + else + DEBUG(D_filter) debug_printf_indent("Filter: %s \"%s\"\n", ff_name, fmsg); + return ff_ret; + + case finish_command: + if (filter_test != FTEST_NONE) + { + indent(); + printf("%sinish\n", (commands->seen)? "Seen f" : "F"); + } + else + DEBUG(D_filter) debug_printf_indent("Filter: %sfinish\n", + commands->seen ? " Seen " : ""); + finish_obeyed = TRUE; + return filter_delivered ? FF_DELIVERED : FF_NOTDELIVERED; + + case if_command: + { + uschar *save_address = filter_thisaddress; + int ok = FF_DELIVERED; + condition_value = test_condition(commands->args[0].c, TRUE); + if (*error_pointer) + ok = FF_ERROR; + else + { + output_indent += 2; + ok = interpret_commands(commands->args[condition_value? 1:2].f, + generated); + output_indent -= 2; + } + filter_thisaddress = save_address; + if (finish_obeyed || ok != FF_DELIVERED && ok != FF_NOTDELIVERED) + return ok; + } + break; + + + /* To try to catch runaway loops, do not generate mail if the + return path is unset or if a non-trusted user supplied -f <> + as the return path. */ + + case mail_command: + case vacation_command: + if (!return_path || !*return_path) + { + if (filter_test != FTEST_NONE) + printf("%s command ignored because return_path is empty\n", + command_list[commands->command]); + else DEBUG(D_filter) debug_printf_indent("%s command ignored because return_path " + "is empty\n", command_list[commands->command]); + break; + } + + /* Check the contents of the strings. The type of string can be deduced + from the value of i. + + . If i is equal to mailarg_index_text it's a text string for the body, + where anything goes. + + . If i is > mailarg_index_text, we are dealing with a file name, which + cannot contain non-printing characters. + + . If i is less than mailarg_index_headers we are dealing with something + that will go in a single message header line, where newlines must be + followed by white space. + + . If i is equal to mailarg_index_headers, we have a string that contains + one or more headers. Newlines that are not followed by white space must + be followed by a header name. + */ + + for (i = 0; i < MAILARGS_STRING_COUNT; i++) + { + const uschar *s = expargs[i]; + + if (!s) continue; + + if (i != mailarg_index_text) for (const uschar * p = s; *p; p++) + { + int c = *p; + if (i > mailarg_index_text) + { + if (!mac_isprint(c)) + { + *error_pointer = string_sprintf("non-printing character in \"%s\" " + "in %s command", string_printing(s), + command_list[commands->command]); + return FF_ERROR; + } + } + + /* i < mailarg_index_text */ + + else if (c == '\n' && !isspace(p[1])) + { + if (i < mailarg_index_headers) + { + *error_pointer = string_sprintf("\\n not followed by space in " + "\"%.1024s\" in %s command", string_printing(s), + command_list[commands->command]); + return FF_ERROR; + } + + /* Check for the start of a new header line within the string */ + + else + { + const uschar *pp; + for (pp = p + 1;; pp++) + { + c = *pp; + if (c == ':' && pp != p + 1) break; + if (!c || c == ':' || isspace(c)) + { + *error_pointer = string_sprintf("\\n not followed by space or " + "valid header name in \"%.1024s\" in %s command", + string_printing(s), command_list[commands->command]); + return FF_ERROR; + } + } + p = pp; + } + } + } /* Loop to scan the string */ + + /* The string is OK */ + + commands->args[i].u = s; + } + + /* Proceed with mail or vacation command */ + + if (filter_test != FTEST_NONE) + { + const uschar *to = commands->args[mailarg_index_to].u; + indent(); + printf("%sail to: %s%s%s\n", (commands->seen)? "Seen m" : "M", + to ? to : US"<default>", + commands->command == vacation_command ? " (vacation)" : "", + commands->noerror ? " (noerror)" : ""); + for (i = 1; i < MAILARGS_STRING_COUNT; i++) + { + const uschar *arg = commands->args[i].u; + if (arg) + { + int len = Ustrlen(mailargs[i]); + int indent = (debug_selector != 0)? output_indent : 0; + while (len++ < 7 + indent) printf(" "); + printf("%s: %s%s\n", mailargs[i], string_printing(arg), + (commands->args[mailarg_index_expand].u != NULL && + Ustrcmp(mailargs[i], "file") == 0)? " (expanded)" : ""); + } + } + if (commands->args[mailarg_index_return].u) + printf("Return original message\n"); + } + else + { + const uschar *tt; + const uschar *to = commands->args[mailarg_index_to].u; + gstring * log_addr = NULL; + + if (!to) to = expand_string(US"$reply_address"); + while (isspace(*to)) to++; + + for (tt = to; *tt; tt++) /* Get rid of newlines */ + if (*tt == '\n') + { + uschar * s = string_copy(to); + for (uschar * ss = s; *ss; ss++) + if (*ss == '\n') *ss = ' '; + to = s; + break; + } + + DEBUG(D_filter) + { + debug_printf_indent("Filter: %smail to: %s%s%s\n", + commands->seen ? "seen " : "", + to, + commands->command == vacation_command ? " (vacation)" : "", + commands->noerror ? " (noerror)" : ""); + for (i = 1; i < MAILARGS_STRING_COUNT; i++) + { + const uschar *arg = commands->args[i].u; + if (arg) + { + int len = Ustrlen(mailargs[i]); + while (len++ < 15) debug_printf_indent(" "); + debug_printf_indent("%s: %s%s\n", mailargs[i], string_printing(arg), + (commands->args[mailarg_index_expand].u != NULL && + Ustrcmp(mailargs[i], "file") == 0)? " (expanded)" : ""); + } + } + } + + /* Create the "address" for the autoreply. This is used only for logging, + as the actual recipients are extracted from the To: line by -t. We use the + same logic here to extract the working addresses (there may be more than + one). Just in case there are a vast number of addresses, stop when the + string gets too long. */ + + tt = to; + while (*tt) + { + uschar *ss = parse_find_address_end(tt, FALSE); + uschar *recipient, *errmess; + int start, end, domain; + int temp = *ss; + + *ss = 0; + recipient = parse_extract_address(tt, &errmess, &start, &end, &domain, + FALSE); + *ss = temp; + + /* Ignore empty addresses and errors; an error will occur later if + there's something really bad. */ + + if (recipient) + { + log_addr = string_catn(log_addr, log_addr ? US"," : US">", 1); + log_addr = string_cat (log_addr, recipient); + } + + /* Check size */ + + if (log_addr && log_addr->ptr > 256) + { + log_addr = string_catn(log_addr, US", ...", 5); + break; + } + + /* Move on past this address */ + + tt = ss + (*ss ? 1 : 0); + while (isspace(*tt)) tt++; + } + + if (log_addr) + addr = deliver_make_addr(string_from_gstring(log_addr), FALSE); + else + { + addr = deliver_make_addr(US ">**bad-reply**", FALSE); + setflag(addr, af_bad_reply); + } + + setflag(addr, af_pfr); + if (commands->noerror) addr->prop.ignore_error = TRUE; + addr->next = *generated; + *generated = addr; + + addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED); + addr->reply->from = NULL; + addr->reply->to = string_copy(to); + addr->reply->file_expand = + commands->args[mailarg_index_expand].u != NULL; + addr->reply->expand_forbid = expand_forbid; + addr->reply->return_message = + commands->args[mailarg_index_return].u != NULL; + addr->reply->once_repeat = 0; + + if (commands->args[mailarg_index_once_repeat].u != NULL) + { + addr->reply->once_repeat = + readconf_readtime(commands->args[mailarg_index_once_repeat].u, 0, + FALSE); + if (addr->reply->once_repeat < 0) + { + *error_pointer = string_sprintf("Bad time value for \"once_repeat\" " + "in mail or vacation command: %s", + commands->args[mailarg_index_once_repeat].u); + return FF_ERROR; + } + } + + /* Set up all the remaining string arguments (those other than "to") */ + + for (i = 1; i < mailargs_string_passed; i++) + { + const uschar *ss = commands->args[i].u; + *(USS((US addr->reply) + reply_offsets[i])) = + ss ? string_copy(ss) : NULL; + } + } + break; + + case testprint_command: + if (filter_test != FTEST_NONE || (debug_selector & D_filter) != 0) + { + const uschar *s = string_printing(expargs[0]); + if (filter_test == FTEST_NONE) + debug_printf_indent("Filter: testprint: %s\n", s); + else + printf("Testprint: %s\n", s); + } + } + + commands = commands->next; + } + +return filter_delivered? FF_DELIVERED : FF_NOTDELIVERED; +} + + + +/************************************************* +* Test for a personal message * +*************************************************/ + +/* This function is global so that it can also be called from the code that +implements Sieve filters. + +Arguments: + aliases a chain of aliases + scan_cc TRUE if Cc: and Bcc: are to be scanned (Exim filters do not) + +Returns: TRUE if the message is deemed to be personal +*/ + +BOOL +filter_personal(string_item *aliases, BOOL scan_cc) +{ +const uschar *self, *self_from, *self_to; +uschar *psself = NULL; +const uschar *psself_from = NULL, *psself_to = NULL; +rmark reset_point = store_mark(); +BOOL yield; +header_line *h; +int to_count = 2; +int from_count = 9; + +/* If any header line in the message is a defined "List-" header field, it is +not a personal message. We used to check for any header line that started with +"List-", but this was tightened up for release 4.54. The check is now for +"List-Id", defined in RFC 2929, or "List-Help", "List-Subscribe", "List- +Unsubscribe", "List-Post", "List-Owner" or "List-Archive", all of which are +defined in RFC 2369. We also scan for "Auto-Submitted"; if it is found to +contain any value other than "no", the message is not personal (RFC 3834). +Previously the test was for "auto-". */ + +for (h = header_list; h; h = h->next) + { + if (h->type == htype_old) continue; + + if (strncmpic(h->text, US"List-", 5) == 0) + { + uschar * s = h->text + 5; + if (strncmpic(s, US"Id:", 3) == 0 || + strncmpic(s, US"Help:", 5) == 0 || + strncmpic(s, US"Subscribe:", 10) == 0 || + strncmpic(s, US"Unsubscribe:", 12) == 0 || + strncmpic(s, US"Post:", 5) == 0 || + strncmpic(s, US"Owner:", 6) == 0 || + strncmpic(s, US"Archive:", 8) == 0) + return FALSE; + } + + else if (strncmpic(h->text, US"Auto-submitted:", 15) == 0) + { + uschar * s = h->text + 15; + Uskip_whitespace(&s); + if (strncmpic(s, US"no", 2) != 0) return FALSE; + s += 2; + Uskip_whitespace(&s); + if (*s) return FALSE; + } + } + +/* Set up "my" address */ + +self = string_sprintf("%s@%s", deliver_localpart, deliver_domain); +self_from = rewrite_one(self, rewrite_from, NULL, FALSE, US"", + global_rewrite_rules); +self_to = rewrite_one(self, rewrite_to, NULL, FALSE, US"", + global_rewrite_rules); + + +if (!self_from) self_from = self; +if (self_to) self_to = self; + +/* If there's a prefix or suffix set, we must include the prefixed/ +suffixed version of the local part in the tests. */ + +if (deliver_localpart_prefix || deliver_localpart_suffix) + { + psself = string_sprintf("%s%s%s@%s", + deliver_localpart_prefix ? deliver_localpart_prefix : US"", + deliver_localpart, + deliver_localpart_suffix ? deliver_localpart_suffix : US"", + deliver_domain); + psself_from = rewrite_one(psself, rewrite_from, NULL, FALSE, US"", + global_rewrite_rules); + psself_to = rewrite_one(psself, rewrite_to, NULL, FALSE, US"", + global_rewrite_rules); + if (psself_from == NULL) psself_from = psself; + if (psself_to == NULL) psself_to = psself; + to_count += 2; + from_count += 2; + } + +/* Do all the necessary tests; the counts are adjusted for {pre,suf}fix */ + +yield = + ( + header_match(US"to:", TRUE, TRUE, aliases, to_count, self, self_to, psself, + psself_to) || + (scan_cc && + ( + header_match(US"cc:", TRUE, TRUE, aliases, to_count, self, self_to, + psself, psself_to) + || + header_match(US"bcc:", TRUE, TRUE, aliases, to_count, self, self_to, + psself, psself_to) + ) + ) + ) && + + header_match(US"from:", TRUE, FALSE, aliases, from_count, "^server@", + "^daemon@", "^root@", "^listserv@", "^majordomo@", "^.*?-request@", + "^owner-[^@]+@", self, self_from, psself, psself_from) && + + header_match(US"precedence:", FALSE, FALSE, NULL, 3, "bulk","list","junk") && + + (sender_address == NULL || sender_address[0] != 0); + +store_reset(reset_point); +return yield; +} + + + +/************************************************* +* Interpret a mail filter file * +*************************************************/ + +/* +Arguments: + filter points to the entire file, read into store as a single string + options controls whether various special things are allowed, and requests + special actions + generated where to hang newly-generated addresses + error where to pass back an error text + +Returns: FF_DELIVERED success, a significant action was taken + FF_NOTDELIVERED success, no significant action + FF_DEFER defer requested + FF_FAIL fail requested + FF_FREEZE freeze requested + FF_ERROR there was a problem +*/ + +int +filter_interpret(const uschar *filter, int options, address_item **generated, + uschar **error) +{ +int i; +int yield = FF_ERROR; +const uschar *ptr = filter; +const uschar *save_headers_charset = headers_charset; +filter_cmd *commands = NULL; +filter_cmd **lastcmdptr = &commands; + +DEBUG(D_route) debug_printf("Filter: start of processing\n"); +acl_level++; + +/* Initialize "not in an if command", set the global flag that is always TRUE +while filtering, and zero the variables. */ + +expect_endif = 0; +output_indent = 0; +f.filter_running = TRUE; +for (i = 0; i < FILTER_VARIABLE_COUNT; i++) filter_n[i] = 0; + +/* To save having to pass certain values about all the time, make them static. +Also initialize the line number, for error messages, and the log file +variables. */ + +filter_options = options; +filter_delivered = FALSE; +finish_obeyed = FALSE; +error_pointer = error; +*error_pointer = NULL; +line_number = 1; +log_fd = -1; +log_mode = 0600; +log_filename = NULL; + +/* Scan filter file for syntax and build up an interpretation thereof, and +interpret the compiled commands, and if testing, say whether we ended up +delivered or not, unless something went wrong. */ + +seen_force = FALSE; +ptr = nextsigchar(ptr, TRUE); + +if (read_command_list(&ptr, &lastcmdptr, FALSE)) + yield = interpret_commands(commands, generated); + +if (filter_test != FTEST_NONE || (debug_selector & D_filter) != 0) + { + uschar *s = US""; + switch(yield) + { + case FF_DEFER: + s = US"Filtering ended by \"defer\"."; + break; + + case FF_FREEZE: + s = US"Filtering ended by \"freeze\"."; + break; + + case FF_FAIL: + s = US"Filtering ended by \"fail\"."; + break; + + case FF_DELIVERED: + s = US"Filtering set up at least one significant delivery " + "or other action.\n" + "No other deliveries will occur."; + break; + + case FF_NOTDELIVERED: + s = US"Filtering did not set up a significant delivery.\n" + "Normal delivery will occur."; + break; + + case FF_ERROR: + s = string_sprintf("Filter error: %s", *error); + break; + } + + if (filter_test != FTEST_NONE) printf("%s\n", CS s); + else debug_printf_indent("%s\n", s); + } + +/* Close the log file if it was opened, and kill off any numerical variables +before returning. Reset the header decoding charset. */ + +if (log_fd >= 0) (void)close(log_fd); +expand_nmax = -1; +f.filter_running = FALSE; +headers_charset = save_headers_charset; + +acl_level--; +DEBUG(D_route) debug_printf("Filter: end of processing\n"); +return yield; +} + + +/* End of filter.c */ |