[pfx] Bug Report: main.cf smtpd_client_restrictions check_ccert_access fails when table spec contains spaces inside braces

Mon, 13 Mar 2023 16:05:15 -0700

I have been trying to understand why check_ccert_access does not work with an inline:{} table and I believe I have uncovered a subtle bug.
My investigation has focused on https://github.com/vdukhovni/postfix/blob/master/postfix/src/global/map_search.c 


To cut to the chase, I believe line 161 should call mystrtokq() instead 
of mystrtok().


Reasoning..

from http://www.postfix.org/postconf.5.html we have the example:

check_ccert_access { type:table, { search_order = cert_fingerprint, 
pubkey_fingerprint } }



from this, lets choose an "inline" table as per 
http://www.postfix.org/DATABASE_README.html
check_ccert_access { inline:{ key=value, { key = text with whitespace or 
comma }}, { search_order = cert_fingerprint, pubkey_fingerprint } }


Now lets see how the parser in map_search.c performs.

We can follow the code to the call:

map_search_create("{ inline:{ key=value, { key = text with whitespace or 
comma }}, { search_order = cert_fingerprint, pubkey_fingerprint } }")


Line 156 detects this is a "Long form" because it starts with a "{"


Line 158 strips away the outermost pair of braces "{" "}" and then trims 
whitespace, leaving:
"inline:{ key=value, { key = text with whitespace or comma }}, { 
search_order = cert_fingerprint, pubkey_fingerprint }"



Line 161 then calls mystrtok() which splits the string at the next 
whitespace separator - WITHOUT REGARD FOR BRACES

So now we have
map_type_name = "inline:{"

bp = "key=value, { key = text with whitespace or comma }}, { 
search_order = cert_fingerprint, pubkey_fingerprint }"


THIS IS CLEARLY NOT WHAT WAS INTENDED

Line 183 expects bp to point to the attribute part, i.e. we want
bp = "{ search_order = cert_fingerprint, pubkey_fingerprint }"


What should have happened is the inline table should have been skimmed 
over by counting opening and closing braces.
This is exactly what the function mystrtokq() does. "q" for "quote" 
presumably.


Repeating the analysis, assuming line 161 calls mystrtokq(), we get

map_type_name = "inline:{ key=value, { key = text with whitespace or 
comma }}"

bp = " { search_order = cert_fingerprint, pubkey_fingerprint }"

Line 183 now gives us:

attr_name_val = "{ search_order = cert_fingerprint, pubkey_fingerprint 
}" and sanity follows.



This one character "q" in the source would have saved many hours of my 
time.



--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to