Tom -

You aren't missing anything. restrictBox is implemented in a very paranoid fashion, and almost certainly can be relaxed safely.

In designing the distribution rules for restrictBox, I didn't go by "what is unsafe"; I went by "what might under some set of circumstances (that I don't necessarily even know about) be unsafe." The whole idea being that I don't have to deal with some security alert because restrictBox failed to check for something. Arguably, I should go further and prohibit "%" under restrictBox as well... ;-)

We don't use restrictBox here.

On Thu, 8 May 2008, Tom Leach wrote:
I need to ease the folder name restrictions imposed by restrictBox in mailboxfile() but I have a couple of questions. First off, I have restrictBox set to -1 so all flags are set. Does the restriction of "//" have any meaning if we're not using Samba on a Linux system? I'm trying to see where that would be a path security problem but I just don't see an issue unless it could be a cifs one. Second, we're moving from mbox to mix and an older (non-restrictBox set) uw_imapd, and I have some people with .. in their folder names. The restriction of ".." is preventing me from converting those boxes (and the use of them by the owners) so i was thinking of changing strstr (name,"..") to strstr (name,"/..") || strstr (name,"../") but I wanted opinions on what cases I was missing. I've tried tossing in %2f to see if that would be parsed as a / but so far, it's always be literal (foo%2f..%2fbar instead of foo/../bar).
So, opinions on what I'm missing???
Thanks,
Tom Leach
[EMAIL PROTECTED]
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw


-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw

Reply via email to