[
https://issues.apache.org/jira/browse/JAMES-3682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3682.
---------------------------------
Resolution: Fixed
> Validation/jail break detection of file url is breaking FileMailRepository
> initialization
> -----------------------------------------------------------------------------------------
>
> Key: JAMES-3682
> URL: https://issues.apache.org/jira/browse/JAMES-3682
> Project: James Server
> Issue Type: Bug
> Components: MailStore & MailRepository
> Affects Versions: 3.6.1
> Reporter: Bernd Bartke
> Priority: Major
> Attachments: Validate_normalized_paths.patch
>
>
> The validation/jail break detection of a file url within
> DefaultJamesResourceLoader is breaking FileMailRepository initialization.
> Within
> {{org.apache.james.container.spring.context.JamesServerApplicationContext:40}}
> the resource loader is being initialized with root directory {{../}}.
> When attempting to intialize file mail repository with url
> {{file://var/mail/error}}, the validation of the file url will throw an
> IOException in
> {{org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)}}:
> {{C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of
> ../}}
> As within {{JamesServerResourceLoader}} the root directory {{../}} is not
> resolved to a real path, the string startsWith checks within
> {{DefaultJamesResourceLoader.validate}} are failing and will throw an
> IOException.
> {noformat}
> 2021-12-09T11:00:23.495 DEBUG [main]
> org.apache.james.container.spring.bean.factory.mailrepositorystore.MailRepositoryStoreBeanFactory
> - obtained repository:
> org.apache.james.mailrepository.file.FileMailRepository to handle: file
> 2021-12-09T11:00:23.502 DEBUG [main]
> org.apache.james.mailrepository.file.FileMailRepository -
> FileMailRepository.destinationURL: file://var/mail/error
> 2021-12-09T11:00:23.503 INFO [main]
> org.apache.james.repository.file.AbstractFileRepository - Init
> org.apache.james.repository.file.FilePersistentObjectRepository Store
> 2021-12-09T11:00:23.504 ERROR [main]
> org.apache.james.mailrepository.file.FileMailRepository - Failed to retrieve
> Store component
> org.apache.commons.configuration2.ex.ConfigurationException: Unable to acces
> destination file://var/mail/error
> at
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:151)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> at
> org.apache.james.repository.file.AbstractFileRepository.init(AbstractFileRepository.java:84)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> at
> org.apache.james.mailrepository.file.FileMailRepository.init(FileMailRepository.java:140)
> [james-server-data-file-3.6.1.jar:3.6.1]
> ...
> Caused by: java.io.IOException:
> C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of ../
> at
> org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.container.spring.context.JamesServerApplicationContext.validate(JamesServerApplicationContext.java:48)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.container.spring.filesystem.ResourceLoaderFileSystem.getFileWithinBaseDir(ResourceLoaderFileSystem.java:63)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:149)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
