Thanks for pointing this out. This isn't really a security risk, so I'm not going to patch it immediately. The worst they can do is put they're file in the spool directory. They can't overwrite other users' files, or replace the notes_to_myself file, or write anything outside the spool directory, or even write anything without an @ in the filename.
Putting them in directories based on the first two characters of the md5 hash of the JID would solve this. I considered and rejected this initially because it makes the storage a little less transparent. What do you all think? --- James On 13/07/2006, at 6:02 PM, Lucas Nussbaum wrote: > Hi, > > Currently, Pymsnt used a hashing based on the first two chars of the > JID. This causes two problems : > > 1) [EMAIL PROTECTED] is a valid JID. You can make pymsnt store foo's xml > file outside the msn.bar.com dir, getting something such as : > > spool/ > spool/..foo%bar.com.xml > spool/msn.bar.com/ > spool/msn.bar.com/notes_to_myself > spool/msn.bar.com/*b/ > > I would recommand replacing the non-[a-z0-9] chars with something such > as "_". This would also solve the problem of filenames with chars you > don't usually want (files starting with '-', containing '*', '?', ...) > > 2) The current hashing method is quite inefficient. On my server, > using: > for i in *; do [ -d $i ] && cd $i && echo "$i $(ls |wc -l)" && cd ..; > done | sort -k 2 -n > > I get : > [...] > vi 81 > an 82 > le 83 > be 84 > ju 86 > la 86 > ro 89 > th 94 > ca 96 > ni 97 > pa 100 > je 103 > fr 104 > da 107 > al 114 > mi 127 > ch 129 > ma 300 > > Maybe we should hash based on the 3 first chars ? However, it wouldn't > really solve the problem : > # ls | cut -c 1-3 | uniq -c | sort -n > 1 maa > 1 mab > 1 maf > 1 mao > 2 mae > 2 mah > 2 mau > 2 mav > 2 maz > 3 mak > 3 mam > 4 may > 8 mai > 9 mal > 10 mas > 11 mad > 14 mag > 20 max > 34 man > 39 mac > 45 mat > 86 mar > > Lucas > _______________________________________________ > py-transports mailing list > [email protected] > http://www.modevia.com/cgi-bin/mailman/listinfo/py-transports
