[
https://issues.apache.org/jira/browse/JAMES-3646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3646.
---------------------------------
Resolution: Fixed
> Review of file based components
> -------------------------------
>
> Key: JAMES-3646
> URL: https://issues.apache.org/jira/browse/JAMES-3646
> Project: James Server
> Issue Type: Improvement
> Components: mailbox, MailStore & MailRepository, Queue, sieve
> Affects Versions: master, 3.6.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.7.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Running a quick audit, I realise none of James file based components
> validates the underlying file names. One could inject relative path to write
> files / read files on any location.
> The affected components are:
> - The file mail queue
> - Maildir mailbox implementation
> - Sieve file storage
> - and FileMail repository
> Regarding the fix:
> - Enforce Sieve files to belong to the Sieve root
> - Validate that created FileRepositories belong to the James root
> - Drop the long deprecated FileMailQueue rather than fixing it...
> - I also proposes to drop the maildir implementation - unless someone else
> devote himself to fix it!
> Regards,
> Benoit
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
