On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote:
> At 11:04 PM 2/10/2009, post...@corwyn.net wrote:
>> At 05:24 PM 2/10/2009, mouss wrote:
>> While I can readily create a user b...@example.com, who has a default
>> maildir location for that sql of 'example.com/bob/' I can't quite figure
>> out how to change the SQL to get the folder for bob+t...@example.com to
>> return:
>>
>> 'example.com/bob/Maildir/.test' without breaking everything else?
>
> To answer my own question (more correctly)
> SELECT
> CONCAT(maildir,'Maildir/',if(INSTR(username,'+'),'.',''),if(INSTR(username,'+'),MID(username,INSTR(username,'+')+1,INSTR(username,'@')-INSTR(username,'+')-1),''))
>
> FROM mailbox
This is a bad idea. You are allowing external parties to construct
mailbox filenames on your system. Potential for various directory pathname
injection attacks:
user+./../../not/where/you/exp...@example.com
You must specifically designate which folders are addressible in this way,
or at least limit the character-set of acceptable extensions.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
