A NOTE has been added to this issue. ====================================================================== http://www.dbmail.org/mantis/view.php?id=693 ====================================================================== Reported By: gordan Assigned To: ====================================================================== Project: DBMail Issue ID: 693 Category: Database layer Reproducibility: always Severity: minor Priority: normal Status: new target: ====================================================================== Date Submitted: 02-May-08 11:46 CEST Last Modified: 02-May-08 16:06 CEST ====================================================================== Summary: Single quotes in folder names render the folder inaccessible and undeletable Description: A folder with single quotes in the name can be created, but cannot be accessed/used/deleted via the IMAP interface.
This seems like a SQL quoting issue, which may indicate some potential SQL injectionattack vectors being available. ====================================================================== ---------------------------------------------------------------------- paul - 02-May-08 16:06 ---------------------------------------------------------------------- I just tested this against 2.2.10: > nc imap.nfg.nl imap * OK dbmail imap (protocol version 4r1) server 2.2.10 ready to run x login testuser1 test x OK LOGIN completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed x create ta'Pal x OK CREATE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" * LIST (\hasnochildren) "/" "ta'Pal" x OK LIST completed x delete ta'Pal x OK DELETE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed I don't see the problem, or at least, I'm unable to reproduce this. Could be a client issue. Issue History Date Modified Username Field Change ====================================================================== 02-May-08 11:46 gordan New Issue 02-May-08 16:06 paul Note Added: 0002541 ====================================================================== _______________________________________________ Dbmail-dev mailing list [email protected] http://twister.fastxs.net/mailman/listinfo/dbmail-dev
