A NOTE has been added to this issue. ====================================================================== http://www.dbmail.org/mantis/view.php?id=252 ====================================================================== Reported By: kaname Assigned To: ====================================================================== Project: DBMail Issue ID: 252 Category: IMAP daemon Reproducibility: always Severity: major Priority: normal Status: new ====================================================================== Date Submitted: 18-Aug-05 05:58 CEST Last Modified: 08-Feb-06 19:29 CET ====================================================================== Summary: If a single quotation is included in the mailbox name at create mailbox, it is a problem. Description: It is a problem that gets mailbox ID before the check on the mailbox name.
It is dangerous in the mailbox name that the user input including a single quotation. It is necessary to check the mailbox name before it inquires of DB. ====================================================================== ---------------------------------------------------------------------- aaron - 08-Feb-06 19:29 ---------------------------------------------------------------------- Unless quotes are illegal in mailbox names, I'd prefer to add better escaping at the query level. I've added some more escaped into db.c; the ones I didn't do are the regex queries because I am not sure if the escaping would kill the regex. Issue History Date Modified Username Field Change ====================================================================== 18-Aug-05 05:58 kaname New Issue 18-Aug-05 05:58 kaname File Added: dbmail-escape5.patch 08-Feb-06 19:29 aaron Note Added: 0000997 ======================================================================
