[jira] [Commented] (JAMES-3682) Validation/jail break detection of file url is breaking FileMailRepository initialization

[Bernd Bartke (Jira)]

    [ 
https://issues.apache.org/jira/browse/JAMES-3682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456896#comment-17456896
 ] 

Bernd Bartke commented on JAMES-3682:
-------------------------------------

{quote}
Just a question: did you succeeded to run similar set up with 3.6.0?
{quote}
Yes. Same setup was working properly with 3.6.0 (on Windows and Linux).
When reverting back {{AbstractFileRepository:149}} (of 3.6.1)
from
{{-baseDirectory = fileSystem.getFileWithinBaseDir(destination);-}}
to
{{baseDirectory = fileSystem.getFile(destination);}}
setup is also working properly on Windows and Linux.

The mentioned values:
{noformat}
canonicalPath                                   : 
'C:\SomeFolder\james-server-app-3.6.1\var\mail\error'
jamesDirectoriesProvider.getAbsoluteDirectory() : '/'
jamesDirectoriesProvider.getRootDirectory()     : '../'
jamesDirectoriesProvider.getVarDirectory()      : '..//var/'
{noformat}
Please notice the value of var directory containing double slash.

> Validation/jail break detection of file url is breaking FileMailRepository 
> initialization
> -----------------------------------------------------------------------------------------
>
>                 Key: JAMES-3682
>                 URL: https://issues.apache.org/jira/browse/JAMES-3682
>             Project: James Server
>          Issue Type: Bug
>          Components: MailStore & MailRepository
>    Affects Versions: 3.6.1
>            Reporter: Bernd Bartke
>            Priority: Major
>
> The validation/jail break detection of a file url within 
> DefaultJamesResourceLoader is breaking FileMailRepository initialization.
> Within 
> {{org.apache.james.container.spring.context.JamesServerApplicationContext:40}}
>  the resource loader is being initialized with root directory {{../}}.
> When attempting to intialize file mail repository with url 
> {{file://var/mail/error}}, the validation of the file url will throw an 
> IOException in 
> {{org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)}}:
> {{C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of 
> ../}}
> As within {{JamesServerResourceLoader}} the root directory {{../}} is not 
> resolved to a real path, the string startsWith checks within 
> {{DefaultJamesResourceLoader.validate}} are failing and will throw an 
> IOException.
> {noformat}
> 2021-12-09T11:00:23.495 DEBUG [main] 
> org.apache.james.container.spring.bean.factory.mailrepositorystore.MailRepositoryStoreBeanFactory
>  - obtained repository: 
> org.apache.james.mailrepository.file.FileMailRepository to handle: file
> 2021-12-09T11:00:23.502 DEBUG [main] 
> org.apache.james.mailrepository.file.FileMailRepository - 
> FileMailRepository.destinationURL: file://var/mail/error
> 2021-12-09T11:00:23.503 INFO [main] 
> org.apache.james.repository.file.AbstractFileRepository - Init 
> org.apache.james.repository.file.FilePersistentObjectRepository Store
> 2021-12-09T11:00:23.504 ERROR [main] 
> org.apache.james.mailrepository.file.FileMailRepository - Failed to retrieve 
> Store component
> org.apache.commons.configuration2.ex.ConfigurationException: Unable to acces 
> destination file://var/mail/error
>       at 
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:151)
>  ~[james-server-data-library-3.6.1.jar:3.6.1]
>       at 
> org.apache.james.repository.file.AbstractFileRepository.init(AbstractFileRepository.java:84)
>  ~[james-server-data-library-3.6.1.jar:3.6.1]
>       at 
> org.apache.james.mailrepository.file.FileMailRepository.init(FileMailRepository.java:140)
>  [james-server-data-file-3.6.1.jar:3.6.1]
> ...
> Caused by: java.io.IOException: 
> C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of ../
>       at 
> org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)
>  ~[james-server-spring-3.6.1.jar:3.6.1]
>       at 
> org.apache.james.container.spring.context.JamesServerApplicationContext.validate(JamesServerApplicationContext.java:48)
>  ~[james-server-spring-3.6.1.jar:3.6.1]
>       at 
> org.apache.james.container.spring.filesystem.ResourceLoaderFileSystem.getFileWithinBaseDir(ResourceLoaderFileSystem.java:63)
>  ~[james-server-spring-3.6.1.jar:3.6.1]
>       at 
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:149)
>  ~[james-server-data-library-3.6.1.jar:3.6.1]
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org