the Service method in ValidRcptHandler[1] contains
if (tableName == null || tableName.equals("")) {
table = (VirtualUserTable) arg0.lookup(VirtualUserTable.ROLE);
} else {
table = ((VirtualUserTableStore)
arg0.lookup(VirtualUserTableStore.ROLE)).getTable(tableName);
}
this raises questions about injection
AFAICT VirtualUserTable.ROLE is only used for ValidRcptHandler
IMHO it would have been more nature for the table name check to be
performed in VirtualUserTableStore[2], with the default returned when
null or empty string is passed to getTable. this would allow
VirtualUserTableStore to be injected and used in any case.
opinions?
- robert
[1]
http://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/ValidRcptHandler.html
[2]
http://james.apache.org/server/head/xref/org/apache/james/api/vut/VirtualUserTableStore.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
