The following issue has been CLOSED ====================================================================== http://www.dbmail.org/mantis/view.php?id=693 ====================================================================== Reported By: gordan Assigned To: ====================================================================== Project: DBMail Issue ID: 693 Category: Database layer Reproducibility: always Severity: minor Priority: normal Status: closed target: Resolution: unable to reproduce Fixed in Version: ====================================================================== Date Submitted: 02-May-08 11:46 CEST Last Modified: 12-May-08 17:11 CEST ====================================================================== Summary: Single quotes in folder names render the folder inaccessible and undeletable Description: A folder with single quotes in the name can be created, but cannot be accessed/used/deleted via the IMAP interface.
This seems like a SQL quoting issue, which may indicate some potential SQL injectionattack vectors being available. ====================================================================== ---------------------------------------------------------------------- paul - 02-May-08 16:06 ---------------------------------------------------------------------- I just tested this against 2.2.10: > nc imap.nfg.nl imap * OK dbmail imap (protocol version 4r1) server 2.2.10 ready to run x login testuser1 test x OK LOGIN completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed x create ta'Pal x OK CREATE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" * LIST (\hasnochildren) "/" "ta'Pal" x OK LIST completed x delete ta'Pal x OK DELETE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed I don't see the problem, or at least, I'm unable to reproduce this. Could be a client issue. ---------------------------------------------------------------------- paul - 12-May-08 17:11 ---------------------------------------------------------------------- I'm closing this report due to lack of feedback. Issue History Date Modified Username Field Change ====================================================================== 02-May-08 11:46 gordan New Issue 02-May-08 16:06 paul Note Added: 0002541 12-May-08 17:11 paul Note Added: 0002549 12-May-08 17:11 paul Status new => closed 12-May-08 17:11 paul Resolution open => unable to reproduce ====================================================================== _______________________________________________ Dbmail-dev mailing list [email protected] http://twister.fastxs.net/mailman/listinfo/dbmail-dev
