The following issue has been RESOLVED. ====================================================================== http://www.dbmail.org/mantis/view.php?id=693 ====================================================================== Reported By: gordan Assigned To: paul ====================================================================== Project: DBMail Issue ID: 693 Category: Database layer Reproducibility: always Severity: minor Priority: normal Status: resolved target: Resolution: fixed Fixed in Version: ====================================================================== Date Submitted: 02-May-08 11:46 CEST Last Modified: 30-May-09 15:51 CEST ====================================================================== Summary: Single quotes in folder names render the folder inaccessible and undeletable Description: A folder with single quotes in the name can be created, but cannot be accessed/used/deleted via the IMAP interface.
This seems like a SQL quoting issue, which may indicate some potential SQL injectionattack vectors being available. ====================================================================== ---------------------------------------------------------------------- (0002541) paul (administrator) - 02-May-08 16:06 http://www.dbmail.org/mantis/view.php?id=693#c2541 ---------------------------------------------------------------------- I just tested this against 2.2.10: > nc imap.nfg.nl imap * OK dbmail imap (protocol version 4r1) server 2.2.10 ready to run x login testuser1 test x OK LOGIN completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed x create ta'Pal x OK CREATE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" * LIST (\hasnochildren) "/" "ta'Pal" x OK LIST completed x delete ta'Pal x OK DELETE completed x list "" * * LIST (\hasnochildren) "/" "INBOX" * LIST (\hasnochildren) "/" "Sent" * LIST (\hasnochildren) "/" "Trash" x OK LIST completed I don't see the problem, or at least, I'm unable to reproduce this. Could be a client issue. ---------------------------------------------------------------------- (0002549) paul (administrator) - 12-May-08 17:11 http://www.dbmail.org/mantis/view.php?id=693#c2549 ---------------------------------------------------------------------- I'm closing this report due to lack of feedback. ---------------------------------------------------------------------- (0002551) gordan (reporter) - 13-May-08 23:47 http://www.dbmail.org/mantis/view.php?id=693#c2551 ---------------------------------------------------------------------- In Thunderbird, create a folder called Mail. Inside that, create a folder called "Foo Bar". Inside that, create a folder called "Foos' A&B". This will produce a whole bunch of errors and after that the server will keep saying "specified mailbox does not exist". Doing the same thing with Courier IMAP as the back end works fine, so the problem appears to be DBMail specific. Deleting the folder also fails. Checking the dbmail_mailboxes table, the directory is there, but seems to be called "Mail/Foo Bar/Foos' A&-B" (note the - after ampersand). ---------------------------------------------------------------------- (0002552) paul (administrator) - 14-May-08 10:18 http://www.dbmail.org/mantis/view.php?id=693#c2552 ---------------------------------------------------------------------- Ok, I reproduced it now. ---------------------------------------------------------------------- (0002820) paul (administrator) - 30-May-09 15:51 http://www.dbmail.org/mantis/view.php?id=693#c2820 ---------------------------------------------------------------------- no longer an issue in the current git head Issue History Date Modified Username Field Change ====================================================================== 02-May-08 11:46 gordan New Issue 02-May-08 16:06 paul Note Added: 0002541 12-May-08 17:11 paul Note Added: 0002549 12-May-08 17:11 paul Status new => closed 12-May-08 17:11 paul Resolution open => unable to reproduce 13-May-08 23:47 gordan Status closed => feedback 13-May-08 23:47 gordan Resolution unable to reproduce => reopened 13-May-08 23:47 gordan Note Added: 0002551 14-May-08 10:18 paul Note Added: 0002552 14-May-08 10:18 paul Status feedback => confirmed 30-May-09 15:51 paul Note Added: 0002820 30-May-09 15:51 paul Assigned To => paul 30-May-09 15:51 paul Status confirmed => resolved 30-May-09 15:51 paul Resolution reopened => fixed ====================================================================== _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
