Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
master, 3.6.0
-
None
Description
Running a quick audit, I realise none of James file based components validates the underlying file names. One could inject relative path to write files / read files on any location.
The affected components are:
- The file mail queue
- Maildir mailbox implementation
- Sieve file storage
- and FileMail repository
Regarding the fix:
- Enforce Sieve files to belong to the Sieve root
- Validate that created FileRepositories belong to the James root
- Drop the long deprecated FileMailQueue rather than fixing it...
- I also proposes to drop the maildir implementation - unless someone else devote himself to fix it!
Regards,
Benoit
Attachments
Issue Links
- breaks
-
JAMES-3682 Validation/jail break detection of file url is breaking FileMailRepository initialization
- Closed
- links to
(1 links to)