The following issue has been RESOLVED. ====================================================================== http://www.dbmail.org/mantis/view.php?id=252 ====================================================================== Reported By: kaname Assigned To: ====================================================================== Project: DBMail Issue ID: 252 Category: IMAP daemon Reproducibility: always Severity: major Priority: normal Status: resolved Resolution: fixed Fixed in Version: SVN Trunk ====================================================================== Date Submitted: 18-Aug-05 05:58 CEST Last Modified: 21-Mar-06 15:12 CET ====================================================================== Summary: If a single quotation is included in the mailbox name at create mailbox, it is a problem. Description: It is a problem that gets mailbox ID before the check on the mailbox name.
It is dangerous in the mailbox name that the user input including a single quotation. It is necessary to check the mailbox name before it inquires of DB. ====================================================================== ---------------------------------------------------------------------- aaron - 08-Feb-06 19:29 ---------------------------------------------------------------------- Unless quotes are illegal in mailbox names, I'd prefer to add better escaping at the query level. I've added some more escaped into db.c; the ones I didn't do are the regex queries because I am not sure if the escaping would kill the regex. ---------------------------------------------------------------------- kaname - 10-Mar-06 09:53 ---------------------------------------------------------------------- I am Japanese. Please forgive poor English. The content of Summary was not appropriate. What I wanted to say is that you should check mailbox name before accessing DB to acquire mailbox ID. The cost connected with DB is high when comparing it to check the character string. It is wiser first to check mailbox name. ---------------------------------------------------------------------- paul - 21-Mar-06 15:12 ---------------------------------------------------------------------- patch applied Issue History Date Modified Username Field Change ====================================================================== 18-Aug-05 05:58 kaname New Issue 18-Aug-05 05:58 kaname File Added: dbmail-escape5.patch 08-Feb-06 19:29 aaron Note Added: 0000997 10-Mar-06 09:53 kaname Note Added: 0001033 21-Mar-06 15:12 paul Note Added: 0001046 21-Mar-06 15:12 paul Status new => resolved 21-Mar-06 15:12 paul Resolution open => fixed 21-Mar-06 15:12 paul Fixed in Version => SVN Trunk ======================================================================
