On Sun, Sep 6, 2009 at 11:50 AM, Robert Burrell Donkin<[email protected]> wrote: > the Service method in ValidRcptHandler[1] contains > > if (tableName == null || tableName.equals("")) { > table = (VirtualUserTable) arg0.lookup(VirtualUserTable.ROLE); > } else { > table = ((VirtualUserTableStore) > arg0.lookup(VirtualUserTableStore.ROLE)).getTable(tableName); > } > > this raises questions about injection > > AFAICT VirtualUserTable.ROLE is only used for ValidRcptHandler > > IMHO it would have been more nature for the table name check to be > performed in VirtualUserTableStore[2], with the default returned when > null or empty string is passed to getTable. this would allow > VirtualUserTableStore to be injected and used in any case. > > opinions?
objections? - robert > - robert > > [1] > http://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/ValidRcptHandler.html > [2] > http://james.apache.org/server/head/xref/org/apache/james/api/vut/VirtualUserTableStore.html > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
