From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C6C6D9850F for ; Fri, 14 Apr 2023 12:12:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B04232483D for ; Fri, 14 Apr 2023 12:12:57 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 14 Apr 2023 12:12:56 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5A4F8416DF for ; Fri, 14 Apr 2023 12:12:56 +0200 (CEST) Message-ID: <4eadce09-564c-b565-8ace-87b516f69f36@proxmox.com> Date: Fri, 14 Apr 2023 12:12:55 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 To: pmg-devel@lists.proxmox.com References: <20230414091458.1517612-1-d.csapak@proxmox.com> Content-Language: en-US From: Mira Limbeck In-Reply-To: <20230414091458.1517612-1-d.csapak@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.815 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.22 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-api] ruledb: match field: improve handling of invalid regular expressions X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2023 10:12:57 -0000 On 4/14/23 11:14, Dominik Csapak wrote: > by not saving them in the first place if they die during execution. > We test this by using them once on an empty string. > > Since users may have saved already invalid ones, only warn if we encounter > such a regex in 'parse_entity' during execution instead of die'ing. Otherwise > pmg-smtp-filter will exit and restart, possibly leading to wrongly denying > mails (and possibly sending out NDRs) before spam checking was done. > > Signed-off-by: Dominik Csapak > --- > src/PMG/RuleDB/MatchField.pm | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/src/PMG/RuleDB/MatchField.pm b/src/PMG/RuleDB/MatchField.pm > index 2b56058..177a283 100644 > --- a/src/PMG/RuleDB/MatchField.pm > +++ b/src/PMG/RuleDB/MatchField.pm > @@ -69,7 +69,13 @@ sub save { > > defined($self->{ogroup}) || die "undefined ogroup: ERROR"; > > - my $new_value = "$self->{field}:$self->{field_value}"; > + my $regex = $self->{field_value}; > + > + # test regex for validity > + eval { "" =~ /$regex/i; }; > + die "invalid regex: $@\n" if $@; > + > + my $new_value = "$self->{field}:$regex"; > $new_value =~ s/\\/\\\\/g; > $new_value = encode('UTF-8', $new_value); > > @@ -111,9 +117,12 @@ sub parse_entity { > my $decvalue = PMG::Utils::decode_rfc1522($value); > $decvalue = PMG::Utils::try_decode_utf8($decvalue); > > - if ($decvalue =~ m|$self->{field_value}|i) { > - push @$res, $id; > - } > + eval { > + if ($decvalue =~ m|$self->{field_value}|i) { > + push @$res, $id; > + } > + }; > + warn "invalid regex: $@\n" if $@; > } > } > Tested adding: * Match Field - fixed * Content Type Filter - fixed * Match Filename - not affected since it is anchored * Archive Filter - fixed * Match Archive Filename - not affected since it is anchored pmg-smtp-filter no longer exits with errors and mail is passed through the rule system correctly with this patch. previous log entries: Apr 14 10:58:10 pmg pmg-smtp-filter[945]: Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE asdfas/ at /usr/share/perl5/PMG/RuleDB/MatchField.pm line 114. Apr 14 10:58:10 pmg pmg-smtp-filter[945]: fast exit because of errors (free 300843008 bytes) Apr 14 10:58:10 pmg postfix/lmtp[1029]: 513D338013E: to=, relay=127.0.0.1[127.0.0.1]:10023, delay=0.11, delays=0.05/0/0.05/0.01, dsn=4.4.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.4.0 detected undelive> new log entries: Apr 14 12:04:58 pmg pmg-smtp-filter[6204]: WARNING: invalid regex: Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE asdfas/ at /usr/share/perl5/PMG/RuleDB/MatchField.pm line 121. Apr 14 12:04:58 pmg pmg-smtp-filter[6204]: 38029D6439254AEA3F9: moved mail for to spam quarantine - 3804B76439254AEDA25 (rule: block all) Apr 14 12:04:58 pmg pmg-smtp-filter[6204]: 38029D6439254AEA3F9: processing time: 0.021 seconds (0, 0.01, 0) Tested-by: Mira Limbeck Reviewed-by: Mira Limbeck