Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3646

Review of file based components

    XMLWordPrintableJSON

Details

    Description

      Running a quick audit, I realise none of James file based components validates the underlying file names. One could inject relative path to write files / read files on any location.

      The affected components are:

      • The file mail queue
      • Maildir mailbox implementation
      • Sieve file storage
      • and FileMail repository

      Regarding the fix:

      • Enforce Sieve files to belong to the Sieve root
      • Validate that created FileRepositories belong to the James root
      • Drop the long deprecated FileMailQueue rather than fixing it...
      • I also proposes to drop the maildir implementation - unless someone else devote himself to fix it!

      Regards,

      Benoit

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              btellier Benoit Tellier
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1.5h
                  1.5h