[JAMES-3646] Review of file based components - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: master, 3.6.0
Fix Version/s: 3.7.0
Component/s: mailbox, MailStore & MailRepository, Queue, sieve
Labels:
None

Description

Running a quick audit, I realise none of James file based components validates the underlying file names. One could inject relative path to write files / read files on any location.

The affected components are:

The file mail queue
Maildir mailbox implementation
Sieve file storage
and FileMail repository

Regarding the fix:

Enforce Sieve files to belong to the Sieve root
Validate that created FileRepositories belong to the James root
Drop the long deprecated FileMailQueue rather than fixing it...
I also proposes to drop the maildir implementation - unless someone else devote himself to fix it!

Regards,

Benoit

Attachments

Issue Links

breaks

JAMES-3682 Validation/jail break detection of file url is breaking FileMailRepository initialization

Closed

links to

GitHub Pull Request #636

GitHub Pull Request #637

GitHub Pull Request #646

GitHub Pull Request #659

GitHub Pull Request #661

(1 links to)

Activity

People

Assignee:: Unassigned

Reporter:: Benoit Tellier

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Sep/21 00:53

Updated:: 09/Dec/21 10:21

Resolved:: 03/Dec/21 07:53

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h