1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9 /* Functions for reading spool files. When compiling for a utility (eximon),
10 not all are needed, and some functionality can be cut out. */
11
12
13 #include "exim.h"
14
15
16
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Open and lock data file *
20 *************************************************/
21
22 /* The data file is the one that is used for locking, because the header file
23 can get replaced during delivery because of header rewriting. The file has
24 to opened with write access so that we can get an exclusive lock, but in
25 fact it won't be written to. Just in case there's a major disaster (e.g.
26 overwriting some other file descriptor with the value of this one), open it
27 with append.
28
29 As called by deliver_message() (at least) we are operating as root.
30
31 Argument: the id of the message
32 Returns: fd if file successfully opened and locked, else -1
33
34 Side effect: message_subdir is set for the (possibly split) spool directory
35 */
36
37 int
spool_open_datafile(uschar * id)38 spool_open_datafile(uschar *id)
39 {
40 struct stat statbuf;
41 flock_t lock_data;
42 int fd;
43
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
49 splitting state. */
50
51 for (int i = 0; i < 2; i++)
52 {
53 uschar * fname;
54 int save_errno;
55
56 set_subdir_str(message_subdir, id, i);
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname);
59
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
64 */
65 if ((fd = Uopen(fname,
66 #ifdef O_CLOEXEC
67 O_CLOEXEC |
68 #endif
69 #ifdef O_NOFOLLOW
70 O_NOFOLLOW |
71 #endif
72 O_RDWR | O_APPEND, 0)) >= 0)
73 break;
74 save_errno = errno;
75 if (errno == ENOENT)
76 {
77 if (i == 0) continue;
78 if (!f.queue_running)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
82 id);
83 }
84 else
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
86 errno = save_errno;
87 return -1;
88 }
89
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
96 what it locks. */
97
98 #ifndef O_CLOEXEC
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
100 #endif
101
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = SPOOL_DATA_START_OFFSET;
106
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
108 {
109 log_write(L_skip_delivery, LOG_MAIN,
110 "Spool file for %s is locked (another process is handling this message)",
111 id);
112 (void)close(fd);
113 errno = 0;
114 return -1;
115 }
116
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
119
120 if (fstat(fd, &statbuf) == 0)
121 {
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
124 }
125
126 return fd;
127 }
128 #endif /* COMPILE_UTILITY */
129
130
131
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
135
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
138
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
141
142 . The left subtree (if any) then follows, then the right subtree (if any).
143
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
146
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
150
151 Arguments:
152 node tree node
153
154 Returns: maximum depth below the node, including the node itself
155 */
156
157 static int
count_below(tree_node * node)158 count_below(tree_node *node)
159 {
160 int nleft, nright;
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
166 }
167
168 /* This is the real function...
169
170 Arguments:
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
175
176 Returns: FALSE on format error
177 */
178
179 static BOOL
read_nonrecipients_tree(tree_node ** connect,FILE * f,uschar * buffer,int buffer_size)180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
181 int buffer_size)
182 {
183 tree_node *node;
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
186
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
190 *connect = node;
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
193
194 if (buffer[0] == 'Y')
195 {
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
198 return FALSE;
199 }
200 else node->left = NULL;
201
202 if (right)
203 {
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
206 return FALSE;
207 }
208 else node->right = NULL;
209
210 (void) count_below(*connect);
211 return TRUE;
212 }
213
214
215
216
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
220
221 void
spool_clear_header_globals(void)222 spool_clear_header_globals(void)
223 {
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 f.allow_unqualified_recipient = FALSE;
228 f.allow_unqualified_sender = FALSE;
229 body_linecount = 0;
230 body_zerocount = 0;
231 f.deliver_firsttime = FALSE;
232 f.deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 f.deliver_manual_thaw = FALSE;
235 /* f.dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
240 interface_port = 0;
241 f.local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
244 #endif
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
248 received_count = 0;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = sender_host_auth_pubname = NULL;
257 sender_ident = NULL;
258 f.sender_local = FALSE;
259 f.sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 f.spool_file_wireformat = FALSE;
263 #endif
264 tree_nonrecipients = NULL;
265
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
267 bmi_run = 0;
268 bmi_verdicts = NULL;
269 #endif
270
271 #ifndef DISABLE_DKIM
272 dkim_signers = NULL;
273 f.dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
275 #endif
276
277 #ifndef DISABLE_TLS
278 tls_in.certificate_verified = FALSE;
279 # ifdef SUPPORT_DANE
280 tls_in.dane_verified = FALSE;
281 # endif
282 tls_in.ver = tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
286 # endif
287 tls_in.peerdn = NULL;
288 tls_in.sni = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
290 #endif
291
292 #ifdef WITH_CONTENT_SCAN
293 spam_bar = NULL;
294 spam_score = NULL;
295 spam_score_int = NULL;
296 #endif
297
298 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299 message_smtputf8 = FALSE;
300 message_utf8_downconvert = 0;
301 #endif
302
303 dsn_ret = 0;
304 dsn_envid = NULL;
305 }
306
307 static void *
fgets_big_buffer(FILE * fp)308 fgets_big_buffer(FILE *fp)
309 {
310 int len = 0;
311
312 big_buffer[0] = 0;
313 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) return NULL;
314
315 while ((len = Ustrlen(big_buffer)) == big_buffer_size-1
316 && big_buffer[len-1] != '\n')
317 {
318 uschar *newbuffer;
319 int newsize;
320
321 if (big_buffer_size >= BIG_BUFFER_SIZE * 4) return NULL;
322 newsize = big_buffer_size * 2;
323 newbuffer = store_get_perm(newsize, FALSE);
324 memcpy(newbuffer, big_buffer, len);
325
326 big_buffer = newbuffer;
327 big_buffer_size = newsize;
328 if (Ufgets(big_buffer + len, big_buffer_size - len, fp) == NULL) return NULL;
329 }
330
331 if (len <= 0 || big_buffer[len-1] != '\n') return NULL;
332 return big_buffer;
333 }
334
335
336
337 /*************************************************
338 * Read spool header file *
339 *************************************************/
340
341 /* This function reads a spool header file and places the data into the
342 appropriate global variables. The header portion is always read, but header
343 structures are built only if read_headers is set true. It isn't, for example,
344 while generating -bp output.
345
346 It may be possible for blocks of nulls (binary zeroes) to get written on the
347 end of a file if there is a system crash during writing. It was observed on an
348 earlier version of Exim that omitted to fsync() the files - this is thought to
349 have been the cause of that incident, but in any case, this code must be robust
350 against such an event, and if such a file is encountered, it must be treated as
351 malformed.
352
353 As called from deliver_message() (at least) we are running as root.
354
355 Arguments:
356 name name of the header file, including the -H
357 read_headers TRUE if in-store header structures are to be built
358 subdir_set TRUE is message_subdir is already set
359
360 Returns: spool_read_OK success
361 spool_read_notopen open failed
362 spool_read_enverror error in the envelope portion
363 spool_read_hdrerror error in the header portion
364 */
365
366 int
spool_read_header(uschar * name,BOOL read_headers,BOOL subdir_set)367 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
368 {
369 FILE * fp = NULL;
370 int n;
371 int rcount = 0;
372 long int uid, gid;
373 BOOL inheader = FALSE;
374
375 /* Reset all the global variables to their default values. However, there is
376 one exception. DO NOT change the default value of dont_deliver, because it may
377 be forced by an external setting. */
378
379 spool_clear_header_globals();
380
381 /* Generate the full name and open the file. If message_subdir is already
382 set, just look in the given directory. Otherwise, look in both the split
383 and unsplit directories, as for the data file above. */
384
385 for (int n = 0; n < 2; n++)
386 {
387 if (!subdir_set)
388 set_subdir_str(message_subdir, name, n);
389
390 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
391 break;
392 if (n != 0 || subdir_set || errno != ENOENT)
393 return spool_read_notopen;
394 }
395
396 errno = 0;
397
398 #ifndef COMPILE_UTILITY
399 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
400 #endif /* COMPILE_UTILITY */
401
402 /* The first line of a spool file contains the message id followed by -H (i.e.
403 the file name), in order to make the file self-identifying. */
404
405 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
406 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
407 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
408 goto SPOOL_FORMAT_ERROR;
409
410 /* The next three lines in the header file are in a fixed format. The first
411 contains the login, uid, and gid of the user who caused the file to be written.
412 There are known cases where a negative gid is used, so we allow for both
413 negative uids and gids. The second contains the mail address of the message's
414 sender, enclosed in <>. The third contains the time the message was received,
415 and the number of warning messages for delivery delays that have been sent. */
416
417 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
418
419 {
420 uschar *p = big_buffer + Ustrlen(big_buffer);
421 while (p > big_buffer && isspace(p[-1])) p--;
422 *p = 0;
423 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
424 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
425 gid = Uatoi(p);
426 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
427 *p = 0;
428 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
429 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
430 uid = Uatoi(p);
431 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
432 *p = 0;
433 }
434
435 originator_login = string_copy(big_buffer);
436 originator_uid = (uid_t)uid;
437 originator_gid = (gid_t)gid;
438
439 /* envelope from */
440 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
441 n = Ustrlen(big_buffer);
442 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
443 goto SPOOL_FORMAT_ERROR;
444
445 sender_address = store_get(n-2, TRUE); /* tainted */
446 Ustrncpy(sender_address, big_buffer+1, n-3);
447 sender_address[n-3] = 0;
448
449 /* time */
450 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
451 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
452 goto SPOOL_FORMAT_ERROR;
453 received_time.tv_usec = 0;
454 received_time_complete = received_time;
455
456
457 message_age = time(NULL) - received_time.tv_sec;
458 #ifndef COMPILE_UTILITY
459 if (f.running_in_test_harness)
460 message_age = test_harness_fudged_queue_time(message_age);
461 #endif
462
463 #ifndef COMPILE_UTILITY
464 DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n",
465 originator_login, (long int)originator_uid, (long int)originator_gid,
466 sender_address);
467 #endif
468
469 /* Now there may be a number of optional lines, each starting with "-". If you
470 add a new setting here, make sure you set the default above.
471
472 Because there are now quite a number of different possibilities, we use a
473 switch on the first character to avoid too many failing tests. Thanks to Nico
474 Erfurth for the patch that implemented this. I have made it even more efficient
475 by not re-scanning the first two characters.
476
477 To allow new versions of Exim that add additional flags to interwork with older
478 versions that do not understand them, just ignore any lines starting with "-"
479 that we don't recognize. Otherwise it wouldn't be possible to back off a new
480 version that left new-style flags written on the spool.
481
482 If the line starts with "--" the content of the variable is tainted. */
483
484 for (;;)
485 {
486 BOOL tainted;
487 uschar * var;
488 const uschar * p;
489
490 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
491 if (big_buffer[0] != '-') break;
492 big_buffer[Ustrlen(big_buffer)-1] = 0;
493
494 tainted = big_buffer[1] == '-';
495 var = big_buffer + (tainted ? 2 : 1);
496 p = var + 1;
497
498 switch(*var)
499 {
500 case 'a':
501
502 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
503 variable, because Exim allows any number of them, with arbitrary names.
504 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
505 the c or m. */
506
507 if (Ustrncmp(p, "clc ", 4) == 0 ||
508 Ustrncmp(p, "clm ", 4) == 0)
509 {
510 uschar *name, *endptr;
511 int count;
512 tree_node *node;
513 endptr = Ustrchr(var + 5, ' ');
514 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
515 name = string_sprintf("%c%.*s", var[3],
516 (int)(endptr - var - 5), var + 5);
517 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
518 node = acl_var_create(name);
519 node->data.ptr = store_get(count + 1, tainted);
520 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
521 ((uschar*)node->data.ptr)[count] = 0;
522 }
523
524 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
525 f.allow_unqualified_recipient = TRUE;
526 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
527 f.allow_unqualified_sender = TRUE;
528
529 else if (Ustrncmp(p, "uth_id", 6) == 0)
530 authenticated_id = string_copy_taint(var + 8, tainted);
531 else if (Ustrncmp(p, "uth_sender", 10) == 0)
532 authenticated_sender = string_copy_taint(var + 12, tainted);
533 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
534 smtp_active_hostname = string_copy_taint(var + 16, tainted);
535
536 /* For long-term backward compatibility, we recognize "-acl", which was
537 used before the number of ACL variables changed from 10 to 20. This was
538 before the subsequent change to an arbitrary number of named variables.
539 This code is retained so that upgrades from very old versions can still
540 handle old-format spool files. The value given after "-acl" is a number
541 that is 0-9 for connection variables, and 10-19 for message variables. */
542
543 else if (Ustrncmp(p, "cl ", 3) == 0)
544 {
545 unsigned index, count;
546 uschar name[20]; /* Need plenty of space for %u format */
547 tree_node * node;
548 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
549 || index >= 20
550 || count > 16384 /* arbitrary limit on variable size */
551 )
552 goto SPOOL_FORMAT_ERROR;
553 if (index < 10)
554 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
555 else
556 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
557 node = acl_var_create(name);
558 node->data.ptr = store_get(count + 1, tainted);
559 /* We sanity-checked the count, so disable the Coverity error */
560 /* coverity[tainted_data] */
561 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
562 (US node->data.ptr)[count] = '\0';
563 }
564 break;
565
566 case 'b':
567 if (Ustrncmp(p, "ody_linecount", 13) == 0)
568 body_linecount = Uatoi(var + 14);
569 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
570 body_zerocount = Uatoi(var + 14);
571 #ifdef EXPERIMENTAL_BRIGHTMAIL
572 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
573 bmi_verdicts = string_copy_taint(var + 13, tainted);
574 #endif
575 break;
576
577 case 'd':
578 if (Ustrcmp(p, "eliver_firsttime") == 0)
579 f.deliver_firsttime = TRUE;
580 /* Check if the dsn flags have been set in the header file */
581 else if (Ustrncmp(p, "sn_ret", 6) == 0)
582 dsn_ret= atoi(CS var + 7);
583 else if (Ustrncmp(p, "sn_envid", 8) == 0)
584 dsn_envid = string_copy_taint(var + 10, tainted);
585 break;
586
587 case 'f':
588 if (Ustrncmp(p, "rozen", 5) == 0)
589 {
590 f.deliver_freeze = TRUE;
591 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
592 goto SPOOL_READ_ERROR;
593 }
594 break;
595
596 case 'h':
597 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
598 host_lookup_deferred = TRUE;
599 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
600 host_lookup_failed = TRUE;
601 else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
602 sender_host_auth_pubname = string_copy_taint(var + 18, tainted);
603 else if (Ustrncmp(p, "ost_auth", 8) == 0)
604 sender_host_authenticated = string_copy_taint(var + 10, tainted);
605 else if (Ustrncmp(p, "ost_name", 8) == 0)
606 sender_host_name = string_copy_taint(var + 10, tainted);
607 else if (Ustrncmp(p, "elo_name", 8) == 0)
608 sender_helo_name = string_copy_taint(var + 10, tainted);
609
610 /* We now record the port number after the address, separated by a
611 dot. For compatibility during upgrading, do nothing if there
612 isn't a value (it gets left at zero). */
613
614 else if (Ustrncmp(p, "ost_address", 11) == 0)
615 {
616 sender_host_port = host_address_extract_port(var + 13);
617 sender_host_address = string_copy_taint(var + 13, tainted);
618 }
619 break;
620
621 case 'i':
622 if (Ustrncmp(p, "nterface_address", 16) == 0)
623 {
624 interface_port = host_address_extract_port(var + 18);
625 interface_address = string_copy_taint(var + 18, tainted);
626 }
627 else if (Ustrncmp(p, "dent", 4) == 0)
628 sender_ident = string_copy_taint(var + 6, tainted);
629 break;
630
631 case 'l':
632 if (Ustrcmp(p, "ocal") == 0)
633 f.sender_local = TRUE;
634 else if (Ustrcmp(var, "localerror") == 0)
635 f.local_error_message = TRUE;
636 #ifdef HAVE_LOCAL_SCAN
637 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
638 local_scan_data = string_copy_taint(var + 11, tainted);
639 #endif
640 break;
641
642 case 'm':
643 if (Ustrcmp(p, "anual_thaw") == 0)
644 f.deliver_manual_thaw = TRUE;
645 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
646 max_received_linelength = Uatoi(var + 23);
647 break;
648
649 case 'N':
650 if (*p == 0) f.dont_deliver = TRUE; /* -N */
651 break;
652
653 case 'r':
654 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
655 received_protocol = string_copy_taint(var + 18, tainted);
656 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
657 {
658 unsigned usec;
659 if (sscanf(CS var + 20, "%u", &usec) == 1)
660 {
661 received_time.tv_usec = usec;
662 if (!received_time_complete.tv_sec) received_time_complete.tv_usec = usec;
663 }
664 }
665 else if (Ustrncmp(p, "eceived_time_complete", 21) == 0)
666 {
667 unsigned sec, usec;
668 if (sscanf(CS var + 23, "%u.%u", &sec, &usec) == 2)
669 {
670 received_time_complete.tv_sec = sec;
671 received_time_complete.tv_usec = usec;
672 }
673 }
674 break;
675
676 case 's':
677 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
678 f.sender_set_untrusted = TRUE;
679 #ifdef WITH_CONTENT_SCAN
680 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
681 spam_bar = string_copy_taint(var + 9, tainted);
682 else if (Ustrncmp(p, "pam_score ", 10) == 0)
683 spam_score = string_copy_taint(var + 11, tainted);
684 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
685 spam_score_int = string_copy_taint(var + 15, tainted);
686 #endif
687 #ifndef COMPILE_UTILITY
688 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
689 f.spool_file_wireformat = TRUE;
690 #endif
691 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
692 else if (Ustrncmp(p, "mtputf8", 7) == 0)
693 message_smtputf8 = TRUE;
694 #endif
695 break;
696
697 #ifndef DISABLE_TLS
698 case 't':
699 if (Ustrncmp(p, "ls_", 3) == 0)
700 {
701 const uschar * q = p + 3;
702 if (Ustrncmp(q, "certificate_verified", 20) == 0)
703 tls_in.certificate_verified = TRUE;
704 else if (Ustrncmp(q, "cipher", 6) == 0)
705 tls_in.cipher = string_copy_taint(q+7, tainted);
706 # ifndef COMPILE_UTILITY /* tls support fns not built in */
707 else if (Ustrncmp(q, "ourcert", 7) == 0)
708 (void) tls_import_cert(q+8, &tls_in.ourcert);
709 else if (Ustrncmp(q, "peercert", 8) == 0)
710 (void) tls_import_cert(q+9, &tls_in.peercert);
711 # endif
712 else if (Ustrncmp(q, "peerdn", 6) == 0)
713 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
714 else if (Ustrncmp(q, "sni", 3) == 0)
715 tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
716 else if (Ustrncmp(q, "ocsp", 4) == 0)
717 tls_in.ocsp = q[5] - '0';
718 # ifndef DISABLE_TLS_RESUME
719 else if (Ustrncmp(q, "resumption", 10) == 0)
720 tls_in.resumption = q[11] - 'A';
721 # endif
722 else if (Ustrncmp(q, "ver", 3) == 0)
723 tls_in.ver = string_copy_taint(q+4, tainted);
724 }
725 break;
726 #endif
727
728 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
729 case 'u':
730 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
731 message_utf8_downconvert = 1;
732 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
733 message_utf8_downconvert = -1;
734 break;
735 #endif
736
737 default: /* Present because some compilers complain if all */
738 break; /* possibilities are not covered. */
739 }
740 }
741
742 /* Build sender_fullhost if required */
743
744 #ifndef COMPILE_UTILITY
745 host_build_sender_fullhost();
746 #endif /* COMPILE_UTILITY */
747
748 #ifndef COMPILE_UTILITY
749 DEBUG(D_deliver)
750 debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local,
751 sender_ident ? sender_ident : US"unset");
752 #endif /* COMPILE_UTILITY */
753
754 /* We now have the tree of addresses NOT to deliver to, or a line
755 containing "XX", indicating no tree. */
756
757 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
758 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
759 goto SPOOL_FORMAT_ERROR;
760
761 #ifndef COMPILE_UTILITY
762 DEBUG(D_deliver) debug_print_tree("Non-recipients", tree_nonrecipients);
763 #endif /* COMPILE_UTILITY */
764
765 /* After reading the tree, the next line has not yet been read into the
766 buffer. It contains the count of recipients which follow on separate lines.
767 Apply an arbitrary sanity check.*/
768
769 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
770 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
771 goto SPOOL_FORMAT_ERROR;
772
773 #ifndef COMPILE_UTILITY
774 DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount);
775 #endif /* COMPILE_UTILITY */
776
777 recipients_list_max = rcount;
778 recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
779
780 /* We sanitised the count and know we have enough memory, so disable
781 the Coverity error on recipients_count */
782 /* coverity[tainted_data] */
783
784 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
785 {
786 int nn;
787 int pno = -1;
788 int dsn_flags = 0;
789 uschar *orcpt = NULL;
790 uschar *errors_to = NULL;
791 uschar *p;
792
793 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
794 nn = Ustrlen(big_buffer);
795 if (nn < 2) goto SPOOL_FORMAT_ERROR;
796
797 /* Remove the newline; this terminates the address if there is no additional
798 data on the line. */
799
800 p = big_buffer + nn - 1;
801 *p-- = 0;
802
803 /* Look back from the end of the line for digits and special terminators.
804 Since an address must end with a domain, we can tell that extra data is
805 present by the presence of the terminator, which is always some character
806 that cannot exist in a domain. (If I'd thought of the need for additional
807 data early on, I'd have put it at the start, with the address at the end. As
808 it is, we have to operate backwards. Addresses are permitted to contain
809 spaces, you see.)
810
811 This code has to cope with various versions of this data that have evolved
812 over time. In all cases, the line might just contain an address, with no
813 additional data. Otherwise, the possibilities are as follows:
814
815 Exim 3 type: <address><space><digits>,<digits>,<digits>
816
817 The second set of digits is the parent number for one_time addresses. The
818 other values were remnants of earlier experiments that were abandoned.
819
820 Exim 4 first type: <address><space><digits>
821
822 The digits are the parent number for one_time addresses.
823
824 Exim 4 new type: <address><space><data>#<type bits>
825
826 The type bits indicate what the contents of the data are.
827
828 Bit 01 indicates that, reading from right to left, the data
829 ends with <errors_to address><space><len>,<pno> where pno is
830 the parent number for one_time addresses, and len is the length
831 of the errors_to address (zero meaning none).
832
833 Bit 02 indicates that, again reading from right to left, the data continues
834 with orcpt len(orcpt),dsn_flags
835 */
836
837 while (isdigit(*p)) p--;
838
839 /* Handle Exim 3 spool files */
840
841 if (*p == ',')
842 {
843 int dummy;
844 #if !defined (COMPILE_UTILITY)
845 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n");
846 #endif
847 while (isdigit(*(--p)) || *p == ',');
848 if (*p == ' ')
849 {
850 *p++ = 0;
851 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
852 }
853 }
854
855 /* Handle early Exim 4 spool files */
856
857 else if (*p == ' ')
858 {
859 #if !defined (COMPILE_UTILITY)
860 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n");
861 #endif
862 *p++ = 0;
863 (void)sscanf(CS p, "%d", &pno);
864 }
865
866 /* Handle current format Exim 4 spool files */
867
868 else if (*p == '#')
869 {
870 int flags;
871
872 #if !defined (COMPILE_UTILITY)
873 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n");
874 #endif
875
876 (void)sscanf(CS p+1, "%d", &flags);
877
878 if ((flags & 0x01) != 0) /* one_time data exists */
879 {
880 int len;
881 while (isdigit(*(--p)) || *p == ',' || *p == '-');
882 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
883 *p = 0;
884 if (len > 0)
885 {
886 p -= len;
887 errors_to = string_copy_taint(p, TRUE);
888 }
889 }
890
891 *(--p) = 0; /* Terminate address */
892 if ((flags & 0x02) != 0) /* one_time data exists */
893 {
894 int len;
895 while (isdigit(*(--p)) || *p == ',' || *p == '-');
896 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
897 *p = 0;
898 if (len > 0)
899 {
900 p -= len;
901 orcpt = string_copy_taint(p, TRUE);
902 }
903 }
904
905 *(--p) = 0; /* Terminate address */
906 }
907 #if !defined(COMPILE_UTILITY)
908 else
909 { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); }
910
911 if (orcpt || dsn_flags)
912 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
913 big_buffer, orcpt, dsn_flags);
914 if (errors_to)
915 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
916 big_buffer, errors_to);
917 #endif
918
919 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
920 recipients_list[recipients_count].pno = pno;
921 recipients_list[recipients_count].errors_to = errors_to;
922 recipients_list[recipients_count].orcpt = orcpt;
923 recipients_list[recipients_count].dsn_flags = dsn_flags;
924 }
925
926 /* The remainder of the spool header file contains the headers for the message,
927 separated off from the previous data by a blank line. Each header is preceded
928 by a count of its length and either a certain letter (for various identified
929 headers), space (for a miscellaneous live header) or an asterisk (for a header
930 that has been rewritten). Count the Received: headers. We read the headers
931 always, in order to check on the format of the file, but only create a header
932 list if requested to do so. */
933
934 inheader = TRUE;
935 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
936 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
937
938 while ((n = fgetc(fp)) != EOF)
939 {
940 header_line *h;
941 uschar flag[4];
942 int i;
943
944 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
945 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
946 goto SPOOL_READ_ERROR;
947 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
948
949 if (read_headers)
950 {
951 h = store_get(sizeof(header_line), FALSE);
952 h->next = NULL;
953 h->type = flag[0];
954 h->slen = n;
955 h->text = store_get(n+1, TRUE); /* tainted */
956
957 if (h->type == htype_received) received_count++;
958
959 if (header_list) header_last->next = h;
960 else header_list = h;
961 header_last = h;
962
963 for (i = 0; i < n; i++)
964 {
965 int c = fgetc(fp);
966 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
967 if (c == '\n' && h->type != htype_old) message_linecount++;
968 h->text[i] = c;
969 }
970 h->text[i] = 0;
971 }
972
973 /* Not requiring header data, just skip through the bytes */
974
975 else for (i = 0; i < n; i++)
976 {
977 int c = fgetc(fp);
978 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
979 }
980 }
981
982 /* We have successfully read the data in the header file. Update the message
983 line count by adding the body linecount to the header linecount. Close the file
984 and give a positive response. */
985
986 #ifndef COMPILE_UTILITY
987 DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n",
988 body_linecount, message_linecount);
989 #endif /* COMPILE_UTILITY */
990
991 message_linecount += body_linecount;
992
993 fclose(fp);
994 return spool_read_OK;
995
996
997 /* There was an error reading the spool or there was missing data,
998 or there was a format error. A "read error" with no errno means an
999 unexpected EOF, which we treat as a format error. */
1000
1001 SPOOL_READ_ERROR:
1002 if (errno != 0)
1003 {
1004 n = errno;
1005
1006 #ifndef COMPILE_UTILITY
1007 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
1008 #endif /* COMPILE_UTILITY */
1009
1010 fclose(fp);
1011 errno = n;
1012 return inheader ? spool_read_hdrerror : spool_read_enverror;
1013 }
1014
1015 SPOOL_FORMAT_ERROR:
1016
1017 #ifndef COMPILE_UTILITY
1018 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
1019 #endif /* COMPILE_UTILITY */
1020
1021 fclose(fp);
1022 errno = ERRNO_SPOOLFORMAT;
1023 return inheader? spool_read_hdrerror : spool_read_enverror;
1024 }
1025
1026
1027 #ifndef COMPILE_UTILITY
1028 /* Read out just the (envelope) sender string from the spool -H file.
1029 Remove the <> wrap and return it in allocated store. Return NULL on error.
1030
1031 We assume that message_subdir is already set.
1032 */
1033
1034 uschar *
spool_sender_from_msgid(const uschar * id)1035 spool_sender_from_msgid(const uschar * id)
1036 {
1037 uschar * name = string_sprintf("%s-H", id);
1038 FILE * fp;
1039 int n;
1040 uschar * yield = NULL;
1041
1042 if (!(fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
1043 return NULL;
1044
1045 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
1046
1047 /* Skip the line with the copy of the filename, then the line with login/uid/gid.
1048 Read the next line, which should be the envelope sender.
1049 Do basic validation on that. */
1050
1051 if ( Ufgets(big_buffer, big_buffer_size, fp) != NULL
1052 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1053 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1054 && (n = Ustrlen(big_buffer)) >= 3
1055 && big_buffer[0] == '<' && big_buffer[n-2] == '>'
1056 )
1057 {
1058 yield = store_get(n-2, TRUE); /* tainted */
1059 Ustrncpy(yield, big_buffer+1, n-3);
1060 yield[n-3] = 0;
1061 }
1062 fclose(fp);
1063 return yield;
1064 }
1065 #endif /* COMPILE_UTILITY */
1066
1067 /* vi: aw ai sw=2
1068 */
1069 /* End of spool_in.c */
1070