Tom -
You aren't missing anything. restrictBox is implemented in a very
paranoid fashion, and almost certainly can be relaxed safely.
In designing the distribution rules for restrictBox, I didn't go by "what
is unsafe"; I went by "what might under some set of circumstances (that I
don't necessarily even know about) be unsafe." The whole idea being that
I don't have to deal with some security alert because restrictBox failed
to check for something. Arguably, I should go further and prohibit "%"
under restrictBox as well... ;-)
We don't use restrictBox here.
On Thu, 8 May 2008, Tom Leach wrote:
I need to ease the folder name restrictions imposed by restrictBox in
mailboxfile() but I have a couple of questions. First off, I have
restrictBox set to -1 so all flags are set.
Does the restriction of "//" have any meaning if we're not using Samba on a
Linux system? I'm trying to see where that would be a path security problem
but I just don't see an issue unless it could be a cifs one.
Second, we're moving from mbox to mix and an older (non-restrictBox set)
uw_imapd, and I have some people with .. in their folder names. The
restriction of ".." is preventing me from converting those boxes (and the use
of them by the owners) so i was thinking of changing
strstr (name,"..") to strstr (name,"/..") || strstr (name,"../") but I wanted
opinions on what cases I was missing. I've tried tossing in %2f to see if
that would be parsed as a / but so far, it's always be literal
(foo%2f..%2fbar instead of foo/../bar).
So, opinions on what I'm missing???
Thanks,
Tom Leach
[EMAIL PROTECTED]
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
