Just released a new filter-rspamd with your diff, thanks
> On 14 Jun 2023, at 19:23, Omar Polo <o...@omarpolo.com> wrote:
>
> Hello,
>
> the `link-auth' event hash the user first and the result of the
> operation after; this breaks when a username has a '|' character in
> it. Since this is triggered by the `auth login' command, anyone could
> send a user with a '|' and, depending on the filter used, make smtpd
> exit. (if the filter dies, smtpd does too)
>
> This was reported on the OpenSMTPD-portable github repository with
> Gilles' opensmtpd-filter-rspamd:
>
> https://github.com/OpenSMTPD/OpenSMTPD/issues/1213
>
> Diff below is straightforward and includes the documentation changes.
> I believe link-auth was forgotten in revision 1.61 of lka_filter.c
> when the mail-from/rcpt-to events got their fields swapped.
>
> For opensmtpd-filter-rspamd I have a corresponding diff that I'll send
> to Gilles as it is off-topic for tech@, but here it is too if you want
> to play with it:
>
> https://paste.omarpolo.com/9jtli2w
>
> To reproduce: (there may be quicker ways, this is just the first i
> found)
>
> # pkg_add rspamd opensmtpd-filter-rspamd
> # rcctl enable rspamd
> # rcctl start rspamd
>
> add the rspamd filter to /etc/mail/smtpd.conf
>
> filter "rspamd" proc-exec "filter-rspamd"
> listen on lo0 smtps pki localhost auth filter "rspamd"
>
> and try to do a login:
>
> $ nc -c -Tnoverify localhost 465
> helo localhost
> auth login
> b3xw
> MTMyNA==
>
>
> Thanks,
>
> Omar Polo
>
>
> diff /usr/src
> commit - 66c6b79616659a94b04092c9f103e3aa29809704
> path + /usr/src
> blob - 0c63657be21352fb1f060505250f7a9ef4fc8d8c
> file + usr.sbin/smtpd/lka_filter.c
> --- usr.sbin/smtpd/lka_filter.c
> +++ usr.sbin/smtpd/lka_filter.c
> @@ -24,7 +24,7 @@
> #include "smtpd.h"
> #include "log.h"
>
> -#define PROTOCOL_VERSION "0.6"
> +#define PROTOCOL_VERSION "0.7"
>
> struct filter;
> struct filter_session;
> @@ -1461,7 +1461,7 @@ lka_report_smtp_link_auth(const char *direction, struc
> fs->username = xstrdup(username);
> }
> report_smtp_broadcast(reqid, direction, tv, "link-auth", "%s|%s\n",
> - username, result);
> + result, username);
> }
>
> void
> blob - 313404c111c77b099b3855f43252c26877874b17
> file + usr.sbin/smtpd/smtpd-filters.7
> --- usr.sbin/smtpd/smtpd-filters.7
> +++ usr.sbin/smtpd/smtpd-filters.7
> @@ -271,12 +271,9 @@ This event is generated upon disconnection of the clie
> the cipher suite used by the session and the cipher strength in bits.
> .It Ic link-disconnect
> This event is generated upon disconnection of the client.
> -.It Ic link-auth : Ar username result
> +.It Ic link-auth : Ar result username
> This event is generated upon an authentication attempt by the client.
> .Pp
> -.Ar username
> -contains the username used for the authentication attempt.
> -.Pp
> .Ar result
> contains the string
> .Dq pass ,
> @@ -284,6 +281,9 @@ depending on the result of the authentication attempt.
> or
> .Dq error
> depending on the result of the authentication attempt.
> +.Pp
> +.Ar username
> +contains the username used for the authentication attempt.
> .It Ic tx-reset : Op message-id
> This event is generated when a transaction is reset.
> .Pp
