1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
From 6f3145006b41a4ec464eed4093553a335d35e8ac Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Thu, 26 Feb 2026 11:52:53 +0400
Subject: [PATCH] Mail: host validation.
Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5. The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.
Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).
---
src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
index 1e26c2c8d7..97bbd70631 100644
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -13,6 +13,7 @@
static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
+static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
return;
}
+ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "%V resolved to invalid host name \"%V\"",
+ &c->addr_text, &ctx->name);
+
+ s->host = smtp_tempunavail;
+
+ ngx_resolve_addr_done(ctx);
+
+ ngx_mail_smtp_greeting(s, s->connection);
+
+ return;
+ }
+
c->log->action = "in resolving client hostname";
s->host.data = ngx_pstrdup(c->pool, &ctx->name);
@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
}
+static ngx_int_t
+ngx_mail_smtp_validate_host(ngx_str_t *name)
+{
+ u_char ch;
+ ngx_uint_t i;
+
+ if (name->len == 0) {
+ return NGX_DECLINED;
+ }
+
+ for (i = 0; i < name->len; i++) {
+ ch = name->data[i];
+
+ /* allow only characters from RFC 1034, Section 3.5 */
+
+ if ((ch >= 'a' && ch <= 'z')
+ || (ch >= 'A' && ch <= 'Z')
+ || (ch >= '0' && ch <= '9')
+ || ch == '-' || ch == '.')
+ {
+ continue;
+ }
+
+ return NGX_DECLINED;
+ }
+
+ return NGX_OK;
+}
+
+
static void
ngx_mail_smtp_resolve_name(ngx_event_t *rev)
{
|
