Benoit Tellier created JAMES-3646:
-------------------------------------
Summary: Review of file based components
Key: JAMES-3646
URL: https://issues.apache.org/jira/browse/JAMES-3646
Project: James Server
Issue Type: Improvement
Components: sieve, mailbox, MailStore & MailRepository, Queue
Affects Versions: 3.6.0, master
Reporter: Benoit Tellier
Fix For: 3.7.0
Running a quick audit, I realise none of James file based components validates
the underlying file names. One could inject relative path to write files / read
files on any location.
The affected components are:
- The file mail queue
- Maildir mailbox implementation
- Sieve file storage
- and FileMail repository
Regarding the fix:
- Enforce Sieve files to belong to the Sieve root
- Validate that created FileRepositories belong to the James root
- Drop the long deprecated FileMailQueue rather than fixing it...
- I also proposes to drop the maildir implementation - unless someone else
devote himself to fix it!
Regards,
Benoit
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
