On Wed, 2006-06-14 at 16:49 -0700, kbaker wrote: > So I've been discussing the merits of DBMail on this thread for the past few > days. They have a couple users interested in building an IMAP server with an > SQL > back-end, so I thought I'd tern them onto DBMail.
Timo's a good guy, and I think he's thought of doing an SQL backend for Dovecot, but has (wisely) chosen to focus on Maildir. He's written probably the fastest Maildir implementation, and has personality points over Mr. Sam of Courier. > Anyway after much discussion, the below message was posted. Was wondering if > you > guys had any thoughts on it. Thoughts about insecurity of SQL injection in > current versions of DBMail.... Timo did make some of the original notes about SQL injection, and I've been good at making sure that we're escaping our variables before passing them into the queries. Ideally I think we should write our own printf-style function that automagically escapes everything correctly. > Is this something I should be concerned about... at this point I think the > SQL > back-end benefits outweigh any possible negatives, but was curious. Every system has its potential security holes; the goal of the programmer is to use idioms that make it easy to get things right. We have several very convenient escaping functions now that we did not have 2-3 years ago and that's helped a lot with getting things right the first time. > > ------------ Forwarded Message ------------ > > Date: Tuesday, June 13, 2006 9:43 AM +0300 > > From: Timo Sirainen <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Re: [Dovecot] DBMail versus Dovecot (was: Using MySQL to store > > email?) [snip] > > Or I guess I can give you one difference: Dovecot tries very hard to be > > secure. DBMail then seems to keep adding SQL injection security holes. I > > said about this to them a few years ago and they fixed them, but now > > that I looked at the code a few months ago they had added more of those. I think it's fair to ask Timo where the errors were. He's very proactive about security, has pointed out issues to DBMail before, and has also sent me patches for libSieve in the past. Dovecot's really picking up steam now, so it's probably taking up most of his time, but still I'm sure if he saw anything glaring he wouldn't mind sharing! Aaron
