[jira] [Created] (JAMES-3682) Validation/jail break detection of file url is breaking FileMailRepository initialization

[Bernd Bartke (Jira)]

Bernd Bartke created JAMES-3682:
-----------------------------------

             Summary: Validation/jail break detection of file url is breaking 
FileMailRepository initialization
                 Key: JAMES-3682
                 URL: https://issues.apache.org/jira/browse/JAMES-3682
             Project: James Server
          Issue Type: Bug
          Components: MailStore & MailRepository
    Affects Versions: 3.6.1
            Reporter: Bernd Bartke


The validation/jail break detection of a file url within 
DefaultJamesResourceLoader is breaking FileMailRepository initialization.

Within 
{{org.apache.james.container.spring.context.JamesServerApplicationContext:40}} 
the resource loader is being initialized with root directory {{../}}.

When attempting to intialize file mail repository with url 
{{file://var/mail/error}}, the validation of the file url will throw an 
IOException in 
{{org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)}}:

{{C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of 
../}}

As within {{JamesServerResourceLoader}} the root directory {{../}} is not 
resolved to a real path, the string startsWith checks within 
{{DefaultJamesResourceLoader.validate}} are failing and will throw an 
IOException.

{noformat}
2021-12-09T11:00:23.495 DEBUG [main] 
org.apache.james.container.spring.bean.factory.mailrepositorystore.MailRepositoryStoreBeanFactory
 - obtained repository: org.apache.james.mailrepository.file.FileMailRepository 
to handle: file
2021-12-09T11:00:23.502 DEBUG [main] 
org.apache.james.mailrepository.file.FileMailRepository - 
FileMailRepository.destinationURL: file://var/mail/error
2021-12-09T11:00:23.503 INFO [main] 
org.apache.james.repository.file.AbstractFileRepository - Init 
org.apache.james.repository.file.FilePersistentObjectRepository Store
2021-12-09T11:00:23.504 ERROR [main] 
org.apache.james.mailrepository.file.FileMailRepository - Failed to retrieve 
Store component
org.apache.commons.configuration2.ex.ConfigurationException: Unable to acces 
destination file://var/mail/error
        at 
org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:151)
 ~[james-server-data-library-3.6.1.jar:3.6.1]
        at 
org.apache.james.repository.file.AbstractFileRepository.init(AbstractFileRepository.java:84)
 ~[james-server-data-library-3.6.1.jar:3.6.1]
        at 
org.apache.james.mailrepository.file.FileMailRepository.init(FileMailRepository.java:140)
 [james-server-data-file-3.6.1.jar:3.6.1]
...
Caused by: java.io.IOException: 
C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of ../
        at 
org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)
 ~[james-server-spring-3.6.1.jar:3.6.1]
        at 
org.apache.james.container.spring.context.JamesServerApplicationContext.validate(JamesServerApplicationContext.java:48)
 ~[james-server-spring-3.6.1.jar:3.6.1]
        at 
org.apache.james.container.spring.filesystem.ResourceLoaderFileSystem.getFileWithinBaseDir(ResourceLoaderFileSystem.java:63)
 ~[james-server-spring-3.6.1.jar:3.6.1]
        at 
org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:149)
 ~[james-server-data-library-3.6.1.jar:3.6.1]
{noformat}




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org