Skip to content
Snippets Groups Projects
Commit 63fe1864 authored by Stephan Bosch's avatar Stephan Bosch
Browse files

plugins: imap-sieve: Implement cumulative resource limits on script execution.

parent f9ebcd45
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/plugins/imapsieve/imap-sieve.c
+ 32
1
View file @ 63fe1864
...@@ -282,6 +282,8 @@ struct imap_sieve_run_script { ...@@ -282,6 +282,8 @@ struct imap_sieve_run_script {
/* Binary corrupt after recompile; don't recompile again */ /* Binary corrupt after recompile; don't recompile again */
bool binary_corrupt:1; bool binary_corrupt:1;
/* Resource usage exceeded */
bool rusage_exceeded:1;
}; };
struct imap_sieve_run { struct imap_sieve_run {
...@@ -563,6 +565,13 @@ imap_sieve_run_open_script(struct imap_sieve_run *isrun, ...@@ -563,6 +565,13 @@ imap_sieve_run_open_script(struct imap_sieve_run *isrun,
"Failed to %s script `%s'", "Failed to %s script `%s'",
compile_name, sieve_script_location(script)); compile_name, sieve_script_location(script));
break; break;
/* Cumulative resource limit exceeded */
case SIEVE_ERROR_RESOURCE_LIMIT:
e_error(sieve_get_event(svinst),
"Failed to open script `%s' for %s "
"(cumulative resource limit exceeded)",
sieve_script_location(script), compile_name);
break;
/* Something else */ /* Something else */
default: default:
e_error(sieve_get_event(svinst), e_error(sieve_get_event(svinst),
...@@ -668,10 +677,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun, ...@@ -668,10 +677,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun,
struct sieve_instance *svinst = isieve->svinst; struct sieve_instance *svinst = isieve->svinst;
struct imap_sieve_run_script *scripts = isrun->scripts; struct imap_sieve_run_script *scripts = isrun->scripts;
unsigned int count = isrun->scripts_count; unsigned int count = isrun->scripts_count;
struct sieve_resource_usage *rusage =
&scriptenv->exec_status->resource_usage;
struct sieve_multiscript *mscript; struct sieve_multiscript *mscript;
struct sieve_error_handler *ehandler; struct sieve_error_handler *ehandler;
struct sieve_script *last_script = NULL; struct sieve_script *last_script = NULL;
bool user_script = FALSE, more = TRUE; bool user_script = FALSE, more = TRUE, rusage_exceeded = FALSE;
enum sieve_compile_flags cpflags; enum sieve_compile_flags cpflags;
enum sieve_execute_flags exflags; enum sieve_execute_flags exflags;
enum sieve_error compile_error = SIEVE_ERROR_NONE; enum sieve_error compile_error = SIEVE_ERROR_NONE;
...@@ -696,6 +707,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun, ...@@ -696,6 +707,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun,
user_script = (script == isrun->user_script); user_script = (script == isrun->user_script);
last_script = script; last_script = script;
if (scripts[i].rusage_exceeded) {
rusage_exceeded = TRUE;
break;
}
sieve_resource_usage_init(rusage);
if (user_script) { if (user_script) {
cpflags |= SIEVE_COMPILE_FLAG_NOGLOBAL; cpflags |= SIEVE_COMPILE_FLAG_NOGLOBAL;
exflags |= SIEVE_EXECUTE_FLAG_NOGLOBAL; exflags |= SIEVE_EXECUTE_FLAG_NOGLOBAL;
...@@ -762,6 +779,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun, ...@@ -762,6 +779,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun,
else if (more) else if (more)
(void)sieve_save(sbin, FALSE, NULL); (void)sieve_save(sbin, FALSE, NULL);
} }
if (user_script && !sieve_record_resource_usage(sbin, rusage)) {
rusage_exceeded = ((i + 1) < count && more);
scripts[i].rusage_exceeded = TRUE;
break;
}
} }
/* Finish execution */ /* Finish execution */
...@@ -771,6 +794,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun, ...@@ -771,6 +794,12 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun,
isrun->user_ehandler : isieve->master_ehandler); isrun->user_ehandler : isieve->master_ehandler);
if (compile_error == SIEVE_ERROR_TEMP_FAILURE) { if (compile_error == SIEVE_ERROR_TEMP_FAILURE) {
ret = sieve_multiscript_tempfail(&mscript, ehandler, exflags); ret = sieve_multiscript_tempfail(&mscript, ehandler, exflags);
} else if (rusage_exceeded) {
i_assert(last_script != NULL);
(void)sieve_multiscript_tempfail(&mscript, ehandler, exflags);
sieve_error(ehandler, sieve_script_name(last_script),
"cumulative resource usage limit exceeded");
ret = SIEVE_EXEC_RESOURCE_LIMIT;
} else { } else {
ret = sieve_multiscript_finish(&mscript, ehandler, exflags, ret = sieve_multiscript_finish(&mscript, ehandler, exflags,
NULL); NULL);
...@@ -784,6 +813,8 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun, ...@@ -784,6 +813,8 @@ imap_sieve_run_scripts(struct imap_sieve_run *isrun,
return 1; return 1;
} }
if (last_script == NULL && ret == SIEVE_EXEC_OK)
return 0;
return imap_sieve_handle_exec_status(isrun, last_script, ret, return imap_sieve_handle_exec_status(isrun, last_script, ret,
scriptenv->exec_status, fatal_r); scriptenv->exec_status, fatal_r);
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Consent

On this website, we use the web analytics service Matomo to analyze and review the use of our website. Through the collected statistics, we can improve our offerings and make them more appealing for you. Here, you can decide whether to allow us to process your data and set corresponding cookies for these purposes, in addition to technically necessary cookies. Further information on data protection—especially regarding "cookies" and "Matomo"—can be found in our privacy policy. You can withdraw your consent at any time.