1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* This module contains code for extracting addresses from a forwarding list
10 (from an alias or forward file) or by running the filter interpreter. It may do
11 this in a sub-process if a uid/gid are supplied. */
16 enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
18 #define REPLY_EXISTS 0x01
19 #define REPLY_EXPAND 0x02
20 #define REPLY_RETURN 0x04
23 /*************************************************
24 * Check string for filter program *
25 *************************************************/
27 /* This function checks whether a string is actually a filter program. The rule
28 is that it must start with "# Exim filter ..." (any capitalization, spaces
29 optional). It is envisaged that in future, other kinds of filter may be
30 implemented. That's why it is implemented the way it is. The function is global
31 because it is also called from filter.c when checking filters.
35 Returns: FILTER_EXIM if it starts with "# Exim filter"
36 FILTER_SIEVE if it starts with "# Sieve filter"
37 FILTER_FORWARD otherwise
40 /* This is an auxiliary function for matching a tag. */
43 match_tag(const uschar *s, const uschar *tag)
45 for (; *tag; s++, tag++)
48 while (*s == ' ' || *s == '\t') s++;
52 if (tolower(*s) != tolower(*tag)) break;
57 /* This is the real function. It should be easy to add checking different
58 tags for other types of filter. */
61 rda_is_filter(const uschar *s)
63 Uskip_whitespace(&s); /* Skips initial blank lines */
64 if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
65 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
66 else return FILTER_FORWARD;
72 /*************************************************
73 * Check for existence of file *
74 *************************************************/
76 /* First of all, we stat the file. If this fails, we try to stat the enclosing
77 directory, because a file in an unmounted NFS directory will look the same as a
78 non-existent file. It seems that in Solaris 2.6, statting an entry in an
79 indirect map that is currently unmounted does not cause the mount to happen.
80 Instead, dummy data is returned, which defeats the whole point of this test.
81 However, if a stat() is done on some object inside the directory, such as the
82 "." back reference to itself, then the mount does occur. If an NFS host is
83 taken offline, it is possible for the stat() to get stuck until it comes back.
84 To guard against this, stick a timer round it. If we can't access the "."
85 inside the directory, try the plain directory, just in case that helps.
88 filename the file name
89 error for message on error
91 Returns: FILE_EXIST the file exists
92 FILE_NOT_EXIST the file does not exist
93 FILE_EXIST_UNCLEAR cannot determine existence
97 rda_exists(uschar *filename, uschar **error)
103 if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
106 s = string_copy(filename);
107 sigalrm_seen = FALSE;
109 if (saved_errno == ENOENT)
111 uschar * slash = Ustrrchr(s, '/');
112 Ustrcpy(slash+1, US".");
115 rc = Ustat(s, &statbuf);
116 if (rc != 0 && errno == EACCES && !sigalrm_seen)
119 rc = Ustat(s, &statbuf);
124 DEBUG(D_route) debug_printf("stat(%s)=%d\n", s, rc);
127 if (sigalrm_seen || rc != 0)
129 *error = string_sprintf("failed to stat %s (%s)", s,
130 sigalrm_seen? "timeout" : strerror(saved_errno));
131 return FILE_EXIST_UNCLEAR;
134 *error = string_sprintf("%s does not exist", filename);
135 DEBUG(D_route) debug_printf("%s\n", *error);
136 return FILE_NOT_EXIST;
141 /*************************************************
142 * Get forwarding list from a file *
143 *************************************************/
145 /* Open a file and read its entire contents into a block of memory. Certain
146 opening errors are optionally treated the same as "file does not exist".
148 ENOTDIR means that something along the line is not a directory: there are
149 installations that set home directories to be /dev/null for non-login accounts
150 but in normal circumstances this indicates some kind of configuration error.
152 EACCES means there's a permissions failure. Some users turn off read permission
153 on a .forward file to suspend forwarding, but this is probably an error in any
154 kind of mailing list processing.
156 The redirect block that contains the file name also contains constraints such
157 as who may own the file, and mode bits that must not be set. This function is
160 rdata rdirect block, containing file name and constraints
161 options for the RDO_ENOTDIR and RDO_EACCES options
162 error where to put an error message
163 yield what to return from rda_interpret on error
165 Returns: pointer to string in store; NULL on error
169 rda_get_file_contents(const redirect_block *rdata, int options, uschar **error,
174 uschar *filename = rdata->string;
175 BOOL uid_ok = !rdata->check_owner;
176 BOOL gid_ok = !rdata->check_group;
179 /* Reading a file is a form of expansion; we wish to deny attackers the
180 capability to specify the file name. */
182 if (is_tainted(filename))
184 *error = string_sprintf("Tainted name '%s' for file read not permitted\n",
190 /* Attempt to open the file. If it appears not to exist, check up on the
191 containing directory by statting it. If the directory does not exist, we treat
192 this situation as an error (which will cause delivery to defer); otherwise we
193 pass back FF_NONEXIST, which causes the redirect router to decline.
195 However, if the ignore_enotdir option is set (to ignore "something on the
196 path is not a directory" errors), the right behaviour seems to be not to do the
199 if (!(fwd = Ufopen(filename, "rb"))) switch(errno)
201 case ENOENT: /* File does not exist */
202 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
203 filename, options & RDO_ENOTDIR ? "ignore_enotdir set => skip " : "");
205 options & RDO_ENOTDIR || rda_exists(filename, error) == FILE_NOT_EXIST
206 ? FF_NONEXIST : FF_ERROR;
209 case ENOTDIR: /* Something on the path isn't a directory */
210 if (!(options & RDO_ENOTDIR)) goto DEFAULT_ERROR;
211 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
212 "exist\n", filename);
213 *yield = FF_NONEXIST;
216 case EACCES: /* Permission denied */
217 if (!(options & RDO_EACCES)) goto DEFAULT_ERROR;
218 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
219 "exist\n", filename);
220 *yield = FF_NONEXIST;
225 *error = string_open_failed("%s", filename);
230 /* Check that we have a regular file. */
232 if (fstat(fileno(fwd), &statbuf) != 0)
234 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
238 if ((statbuf.st_mode & S_IFMT) != S_IFREG)
240 *error = string_sprintf("%s is not a regular file", filename);
244 /* Check for unwanted mode bits */
246 if ((statbuf.st_mode & rdata->modemask) != 0)
248 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
249 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
253 /* Check the file owner and file group if required to do so. */
256 if (rdata->pw && statbuf.st_uid == rdata->pw->pw_uid)
258 else if (rdata->owners)
259 for (int i = 1; i <= (int)(rdata->owners[0]); i++)
260 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
263 if (rdata->pw && statbuf.st_gid == rdata->pw->pw_gid)
265 else if (rdata->owngroups)
266 for (int i = 1; i <= (int)(rdata->owngroups[0]); i++)
267 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
269 if (!uid_ok || !gid_ok)
271 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
275 /* Put an upper limit on the size of the file, just to stop silly people
276 feeding in ridiculously large files, which can easily be created by making
277 files that have holes in them. */
279 if (statbuf.st_size > MAX_FILTER_SIZE)
281 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
285 /* Read the file in one go in order to minimize the time we have it open. */
287 filebuf = store_get(statbuf.st_size + 1, filename);
289 if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
291 *error = string_sprintf("error while reading %s: %s",
292 filename, strerror(errno));
295 filebuf[statbuf.st_size] = 0;
297 DEBUG(D_route) debug_printf(OFF_T_FMT " %sbytes read from %s\n",
298 statbuf.st_size, is_tainted(filename) ? "(tainted) " : "", filename);
303 /* Return an error: the string is already set up. */
313 /*************************************************
314 * Extract info from list or filter *
315 *************************************************/
317 /* This function calls the appropriate function to extract addresses from a
318 forwarding list, or to run a filter file and get addresses from there.
321 rdata the redirection block
322 options the options bits
323 include_directory restrain to this directory
324 sieve_vacation_directory passed to sieve_interpret
325 sieve_enotify_mailto_owner passed to sieve_interpret
326 sieve_useraddress passed to sieve_interpret
327 sieve_subaddress passed to sieve_interpret
328 generated where to hang generated addresses
329 error for error messages
330 eblockp for details of skipped syntax errors
332 filtertype set to the filter type:
333 FILTER_FORWARD => a traditional .forward file
334 FILTER_EXIM => an Exim filter file
335 FILTER_SIEVE => a Sieve filter file
336 a system filter is always forced to be FILTER_EXIM
338 Returns: a suitable return for rda_interpret()
342 rda_extract(const redirect_block * rdata, int options,
343 const uschar * include_directory, const uschar * sieve_vacation_directory,
344 const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
345 const uschar * sieve_subaddress, address_item ** generated, uschar ** error,
346 error_block ** eblockp, int * filtertype)
353 if (!(data = rda_get_file_contents(rdata, options, error, &yield)))
356 else data = rdata->string;
358 *filtertype = f.system_filtering ? FILTER_EXIM : rda_is_filter(data);
360 /* Filter interpretation is done by a general function that is also called from
361 the filter testing option (-bf). There are two versions: one for Exim filtering
362 and one for Sieve filtering. Several features of string expansion may be locked
363 out at sites that don't trust users. This is done by setting flags in
364 expand_forbid that the expander inspects. */
366 if (*filtertype != FILTER_FORWARD)
369 int old_expand_forbid = expand_forbid;
371 DEBUG(D_route) debug_printf("data is %s filter program\n",
372 *filtertype == FILTER_EXIM ? "an Exim" : "a Sieve");
374 /* RDO_FILTER is an "allow" bit */
376 if (!(options & RDO_FILTER))
378 *error = US"filtering not enabled";
383 expand_forbid & ~RDO_FILTER_EXPANSIONS | options & RDO_FILTER_EXPANSIONS;
385 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
387 if (*filtertype == FILTER_EXIM)
389 if ((options & RDO_EXIM_FILTER) != 0)
391 *error = US"Exim filtering not enabled";
394 frc = filter_interpret(data, options, generated, error);
398 if (options & RDO_SIEVE_FILTER)
400 *error = US"Sieve filtering not enabled";
403 frc = sieve_interpret(data, options, sieve_vacation_directory,
404 sieve_enotify_mailto_owner, sieve_useraddress, sieve_subaddress,
408 expand_forbid = old_expand_forbid;
412 /* Not a filter script */
414 DEBUG(D_route) debug_printf("file is not a filter file\n");
416 return parse_forward_list(data,
417 options, /* specials that are allowed */
418 generated, /* where to hang them */
419 error, /* for errors */
420 deliver_domain, /* to qualify \name */
421 include_directory, /* restrain to directory */
422 eblockp); /* for skipped syntax errors */
428 /*************************************************
429 * Write string down pipe *
430 *************************************************/
432 /* This function is used for transferring a string down a pipe between
433 processes. If the pointer is NULL, a length of zero is written.
439 Returns: -1 on error, else 0
443 rda_write_string(int fd, const uschar *s)
445 int len = s ? Ustrlen(s) + 1 : 0;
446 return ( write(fd, &len, sizeof(int)) != sizeof(int)
447 || (s && write(fd, s, len) != len)
454 /*************************************************
455 * Read string from pipe *
456 *************************************************/
458 /* This function is used for receiving a string from a pipe.
462 sp where to put the string
464 Returns: FALSE if data missing
468 rda_read_string(int fd, uschar **sp)
472 if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
476 /* We know we have enough memory so disable the error on "len" */
477 /* coverity[tainted_data] */
478 /* We trust the data source, so untainted */
479 if (read(fd, *sp = store_get(len, GET_UNTAINTED), len) != len) return FALSE;
485 /*************************************************
486 * Interpret forward list or filter *
487 *************************************************/
489 /* This function is passed a forward list string (unexpanded) or the name of a
490 file (unexpanded) whose contents are the forwarding list. The list may in fact
491 be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
492 types of filter, with different initial tag strings, may be introduced in due
495 The job of the function is to process the forwarding list or filter. It is
496 pulled out into this separate function, because it is used for system filter
497 files as well as from the redirect router.
499 If the function is given a uid/gid, it runs a subprocess that passes the
500 results back via a pipe. This provides security for things like :include:s in
501 users' .forward files, and "logwrite" calls in users' filter files. A
502 sub-process is NOT used when:
504 . No uid/gid is provided
505 . The input is a string which is not a filter string, and does not contain
507 . The input is a file whose non-existence can be detected in the main
508 process (which is usually running as root).
511 rdata redirect data (file + constraints, or data string)
512 options options to pass to the extraction functions,
513 plus ENOTDIR and EACCES handling bits
514 include_directory restrain :include: to this directory
515 sieve_vacation_directory directory passed to sieve_interpret
516 sieve_enotify_mailto_owner passed to sieve_interpret
517 sieve_useraddress passed to sieve_interpret
518 sieve_subaddress passed to sieve_interpret
519 ugid uid/gid to run under - if NULL, no change
520 generated where to hang generated addresses, initially NULL
521 error pointer for error message
522 eblockp for skipped syntax errors; NULL if no skipping
523 filtertype set to the type of file:
524 FILTER_FORWARD => traditional .forward file
525 FILTER_EXIM => an Exim filter file
526 FILTER_SIEVE => a Sieve filter file
527 a system filter is always forced to be FILTER_EXIM
528 rname router name for error messages in the format
529 "xxx router" or "system filter"
531 Returns: values from extraction function, or FF_NONEXIST:
532 FF_DELIVERED success, a significant action was taken
533 FF_NOTDELIVERED success, no significant action
534 FF_BLACKHOLE :blackhole:
535 FF_DEFER defer requested
536 FF_FAIL fail requested
537 FF_INCLUDEFAIL some problem with :include:
538 FF_FREEZE freeze requested
539 FF_ERROR there was a problem
540 FF_NONEXIST the file does not exist
544 rda_interpret(redirect_block * rdata, int options,
545 const uschar * include_directory, const uschar * sieve_vacation_directory,
546 const uschar * sieve_enotify_mailto_owner, const uschar * sieve_useraddress,
547 const uschar * sieve_subaddress, const ugid_block * ugid, address_item ** generated,
548 uschar ** error, error_block ** eblockp, int * filtertype, const uschar * rname)
552 BOOL had_disaster = FALSE;
555 uschar *readerror = US"";
556 void (*oldsignal)(int);
558 DEBUG(D_route) debug_printf("rda_interpret (%s): '%s'\n",
559 rdata->isfile ? "file" : "string", string_printing(rdata->string));
561 /* Do the expansions of the file name or data first, while still privileged. */
563 if (!(data = expand_string(rdata->string)))
565 if (f.expand_string_forcedfail) return FF_NOTDELIVERED;
566 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
567 expand_string_message);
570 rdata->string = data;
573 debug_printf("expanded: '%s'%s\n", data, is_tainted(data) ? " (tainted)":"");
575 if (rdata->isfile && data[0] != '/')
577 *error = string_sprintf("\"%s\" is not an absolute path", data);
581 /* If no uid/gid are supplied, or if we have a data string which does not start
582 with #Exim filter or #Sieve filter, and does not contain :include:, do all the
583 work in this process. Note that for a system filter, we always have a file, so
584 the work is done in this process only if no user is supplied. */
586 if (!ugid->uid_set || /* Either there's no uid, or */
587 (!rdata->isfile && /* We've got the data, and */
588 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
589 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
590 return rda_extract(rdata, options, include_directory,
591 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
592 sieve_subaddress, generated, error, eblockp, filtertype);
594 /* We need to run the processing code in a sub-process. However, if we can
595 determine the non-existence of a file first, we can decline without having to
596 create the sub-process. */
598 if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
601 /* If the file does exist, or we can't tell (non-root mounted NFS directory)
602 we have to create the subprocess to do everything as the given user. The
603 results of processing are passed back via a pipe. */
606 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
607 ":include: failed for %s: %s", rname, strerror(errno));
609 /* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
610 process can be waited for. We sometimes get here with it set otherwise. Save
611 the old state for resetting on the wait. Ensure that all cached resources are
612 freed so that the subprocess starts with a clean slate and doesn't interfere
613 with the parent process. */
615 oldsignal = signal(SIGCHLD, SIG_DFL);
618 if ((pid = exim_fork(US"router-interpret")) == 0)
620 header_line *waslast = header_last; /* Save last header */
623 fd = pfd[pipe_write];
624 (void)close(pfd[pipe_read]);
626 if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
627 if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
629 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
631 /* Addresses can get rewritten in filters; if we are not root or the exim
632 user (and we probably are not), turn off rewrite logging, because we cannot
633 write to the log now. */
635 if (ugid->uid != root_uid && ugid->uid != exim_uid)
637 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
638 "root or exim in this process)\n");
639 BIT_CLEAR(log_selector, log_selector_size, Li_address_rewrite);
642 /* Now do the business */
644 yield = rda_extract(rdata, options, include_directory,
645 sieve_vacation_directory, sieve_enotify_mailto_owner, sieve_useraddress,
646 sieve_subaddress, generated, error, eblockp, filtertype);
648 /* Pass back whether it was a filter, and the return code and any overall
649 error text via the pipe. */
651 if ( write(fd, filtertype, sizeof(int)) != sizeof(int)
652 || write(fd, &yield, sizeof(int)) != sizeof(int)
653 || rda_write_string(fd, *error) != 0
657 /* Pass back the contents of any syntax error blocks if we have a pointer */
661 for (error_block * ep = *eblockp; ep; ep = ep->next)
662 if ( rda_write_string(fd, ep->text1) != 0
663 || rda_write_string(fd, ep->text2) != 0
666 if (rda_write_string(fd, NULL) != 0) /* Indicates end of eblocks */
670 /* If this is a system filter, we have to pass back the numbers of any
671 original header lines that were removed, and then any header lines that were
672 added but not subsequently removed. */
674 if (f.system_filtering)
677 for (header_line * h = header_list; h != waslast->next; i++, h = h->next)
678 if ( h->type == htype_old
679 && write(fd, &i, sizeof(i)) != sizeof(i)
684 if (write(fd, &i, sizeof(i)) != sizeof(i))
687 while (waslast != header_last)
689 waslast = waslast->next;
690 if (waslast->type != htype_old)
691 if ( rda_write_string(fd, waslast->text) != 0
692 || write(fd, &(waslast->type), sizeof(waslast->type))
693 != sizeof(waslast->type)
697 if (rda_write_string(fd, NULL) != 0) /* Indicates end of added headers */
701 /* Write the contents of the $n variables */
703 if (write(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n))
706 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
707 addresses, and their associated information, through the pipe. This is
708 just tedious, but it seems to be the only safe way. We do this also for
709 FAIL and FREEZE, because a filter is allowed to set up deliveries that
710 are honoured before freezing or failing. */
712 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
713 yield == FF_FAIL || yield == FF_FREEZE)
715 for (address_item * addr = *generated; addr; addr = addr->next)
717 int reply_options = 0;
718 int ig_err = addr->prop.ignore_error ? 1 : 0;
720 if ( rda_write_string(fd, addr->address) != 0
721 || write(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
722 || write(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
723 || rda_write_string(fd, addr->prop.errors_address) != 0
724 || write(fd, &ig_err, sizeof(ig_err)) != sizeof(ig_err)
728 if (addr->pipe_expandn)
729 for (uschar ** pp = addr->pipe_expandn; *pp; pp++)
730 if (rda_write_string(fd, *pp) != 0)
732 if (rda_write_string(fd, NULL) != 0)
737 if (write(fd, &reply_options, sizeof(int)) != sizeof(int)) /* 0 means no reply */
742 reply_options |= REPLY_EXISTS;
743 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
744 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
745 if ( write(fd, &reply_options, sizeof(int)) != sizeof(int)
746 || write(fd, &(addr->reply->expand_forbid), sizeof(int))
748 || write(fd, &(addr->reply->once_repeat), sizeof(time_t))
750 || rda_write_string(fd, addr->reply->to) != 0
751 || rda_write_string(fd, addr->reply->cc) != 0
752 || rda_write_string(fd, addr->reply->bcc) != 0
753 || rda_write_string(fd, addr->reply->from) != 0
754 || rda_write_string(fd, addr->reply->reply_to) != 0
755 || rda_write_string(fd, addr->reply->subject) != 0
756 || rda_write_string(fd, addr->reply->headers) != 0
757 || rda_write_string(fd, addr->reply->text) != 0
758 || rda_write_string(fd, addr->reply->file) != 0
759 || rda_write_string(fd, addr->reply->logfile) != 0
760 || rda_write_string(fd, addr->reply->oncelog) != 0
766 if (rda_write_string(fd, NULL) != 0) /* Marks end of addresses */
770 /* OK, this process is now done. Free any cached resources. Must use _exit()
776 exim_underbar_exit(EXIT_SUCCESS);
779 DEBUG(D_rewrite) debug_printf("rda_interpret: failed write to pipe\n");
783 /* Back in the main process: panic if the fork did not succeed. */
786 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
788 /* Read the pipe to get the data from the filter/forward. Our copy of the
789 writing end must be closed first, as otherwise read() won't return zero on an
790 empty pipe. Afterwards, close the reading end. */
792 (void)close(pfd[pipe_write]);
794 /* Read initial data, including yield and contents of *error */
797 if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
798 read(fd, &yield, sizeof(int)) != sizeof(int) ||
799 !rda_read_string(fd, error)) goto DISASTER;
801 /* Read the contents of any syntax error blocks if we have a pointer */
806 for (error_block ** p = eblockp; ; p = &e->next)
809 if (!rda_read_string(fd, &s)) goto DISASTER;
811 e = store_get(sizeof(error_block), GET_UNTAINTED);
814 if (!rda_read_string(fd, &s)) goto DISASTER;
820 /* If this is a system filter, read the identify of any original header lines
821 that were removed, and then read data for any new ones that were added. */
823 if (f.system_filtering)
826 header_line *h = header_list;
831 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
836 if (!(h = h->next)) goto DISASTER_NO_HEADER;
845 if (!rda_read_string(fd, &s)) goto DISASTER;
847 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
848 header_add(type, "%s", s);
852 /* Read the values of the $n variables */
854 if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
856 /* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
857 addresses and data to go with them. Keep them in the same order in the
860 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
861 yield == FF_FAIL || yield == FF_FREEZE)
863 address_item **nextp = generated;
867 int i, reply_options;
870 uschar *expandn[EXPAND_MAXN + 2];
872 /* First string is the address; NULL => end of addresses */
874 if (!rda_read_string(fd, &recipient)) goto DISASTER;
875 if (!recipient) break;
877 /* Hang on the end of the chain */
879 addr = deliver_make_addr(recipient, FALSE);
881 nextp = &(addr->next);
883 /* Next comes the mode and the flags fields */
885 if ( read(fd, &addr->mode, sizeof(addr->mode)) != sizeof(addr->mode)
886 || read(fd, &addr->flags, sizeof(addr->flags)) != sizeof(addr->flags)
887 || !rda_read_string(fd, &addr->prop.errors_address)
888 || read(fd, &i, sizeof(i)) != sizeof(i)
891 addr->prop.ignore_error = (i != 0);
893 /* Next comes a possible setting for $thisaddress and any numerical
894 variables for pipe expansion, terminated by a NULL string. The maximum
895 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
896 into the zeroth item in the vector - this is sorted out inside the pipe
899 for (i = 0; i < EXPAND_MAXN + 1; i++)
902 if (!rda_read_string(fd, &temp)) goto DISASTER;
903 if (i == 0) filter_thisaddress = temp; /* Just in case */
905 if (temp == NULL) break;
910 addr->pipe_expandn = store_get((i+1) * sizeof(uschar *), GET_UNTAINTED);
911 addr->pipe_expandn[i] = NULL;
912 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
915 /* Then an int containing reply options; zero => no reply data. */
917 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
918 if ((reply_options & REPLY_EXISTS) != 0)
920 addr->reply = store_get(sizeof(reply_item), GET_UNTAINTED);
922 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
923 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
925 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
927 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
929 !rda_read_string(fd, &addr->reply->to) ||
930 !rda_read_string(fd, &addr->reply->cc) ||
931 !rda_read_string(fd, &addr->reply->bcc) ||
932 !rda_read_string(fd, &addr->reply->from) ||
933 !rda_read_string(fd, &addr->reply->reply_to) ||
934 !rda_read_string(fd, &addr->reply->subject) ||
935 !rda_read_string(fd, &addr->reply->headers) ||
936 !rda_read_string(fd, &addr->reply->text) ||
937 !rda_read_string(fd, &addr->reply->file) ||
938 !rda_read_string(fd, &addr->reply->logfile) ||
939 !rda_read_string(fd, &addr->reply->oncelog))
945 /* All data has been transferred from the sub-process. Reap it, close the
946 reading end of the pipe, and we are done. */
949 while ((rc = wait(&status)) != pid)
950 if (rc < 0 && errno == ECHILD) /* Process has vanished */
952 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
957 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
961 *error = string_sprintf("internal problem in %s: failure to transfer "
962 "data from subprocess: status=%04x%s%s%s", rname,
964 *error ? US": error=" : US"",
965 *error ? *error : US"");
966 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
968 else if (status != 0)
969 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
970 "%04x from redirect subprocess (but data correctly received)", rname,
975 signal(SIGCHLD, oldsignal); /* restore */
979 /* Come here if the data indicates removal of a header that we can't find */
982 readerror = US" readerror=bad header identifier";
987 /* Come here is there's a shambles in transferring the data over the pipe. The
988 value of errno should still be set. */
991 readerror = string_sprintf(" readerror='%s'", strerror(errno));