From bc2767e61d9d31d2fb05078b0214d84d5e68d23d Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 1 Sep 2020 16:17:42 +0100 Subject: [PATCH 1/1] ARC: Add basic error-checking on permitted chars in admd & sel for signing. Bug 2639 --- src/src/arc.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/src/arc.c b/src/src/arc.c index 391af077d..061731280 100644 --- a/src/src/arc.c +++ b/src/src/arc.c @@ -1557,6 +1557,23 @@ return arc_try_header(&arc_sign_ctx, headers_rlist->h, TRUE); +/* Per RFCs 6376, 7489 the only allowed chars in either an ADMD id +or a selector are ALPHA/DIGGIT/'-'/'.' + +Check, to help catch misconfigurations such as a missing selector +element in the arc_sign list. +*/ + +static BOOL +arc_valid_id(const uschar * s) +{ +for (uschar c; c = *s++; ) + if (!isalnum(c) && c != '-' && c != '.') return FALSE; +return TRUE; +} + + + /* ARC signing. Called from the smtp transport, if the arc_sign option is set. The dkim_exim_sign() function has already been called, so will have hashed the message body for us so long as we requested a hash previously. @@ -1595,10 +1612,13 @@ selector = string_nextinlist(&signspec, &sep, NULL, 0); if ( !*identity || !*selector || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey) { - log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", - !*identity ? "identity" : !*selector ? "selector" : "private-key"); - return sigheaders ? sigheaders : string_get(0); + s = !*identity ? US"identity" : !*selector ? US"selector" : US"private-key"; + goto bad_arg_ret; } +if (!arc_valid_id(identity)) + { s = US"identity"; goto bad_arg_ret; } +if (!arc_valid_id(selector)) + { s = US"selector"; goto bad_arg_ret; } if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey))) return sigheaders ? sigheaders : string_get(0); @@ -1718,6 +1738,11 @@ if (sigheaders) g = string_catn(g, sigheaders->s, sigheaders->ptr); (void) string_from_gstring(g); gstring_release_unused(g); return g; + + +bad_arg_ret: + log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)", s); + return sigheaders ? sigheaders : string_get(0); } -- 2.30.2