/offlineimap/head: changeset 210
Preventive security: folder names may not contain ./ or start with /.
This commit is contained in:
parent
f086c3ff0a
commit
b56304090a
@ -13,6 +13,7 @@ offlineimap (3.2.2) unstable; urgency=low
|
|||||||
* Added support for /-separated Maildirs -- that is, hierarchical
|
* Added support for /-separated Maildirs -- that is, hierarchical
|
||||||
Maildir trees. Fixes [complete.org #28] and, for Debian,
|
Maildir trees. Fixes [complete.org #28] and, for Debian,
|
||||||
Closes: #155460.
|
Closes: #155460.
|
||||||
|
* Preventitive security: Folder names may not contain ./ or start with /.
|
||||||
|
|
||||||
-- John Goerzen <jgoerzen@complete.org> Thu, 25 Jul 2002 08:22:25 -0500
|
-- John Goerzen <jgoerzen@complete.org> Thu, 25 Jul 2002 08:22:25 -0500
|
||||||
|
|
||||||
|
@ -47,11 +47,13 @@ class MaildirRepository(BaseRepository):
|
|||||||
for component in foldername.split('/'):
|
for component in foldername.split('/'):
|
||||||
assert component != invalid, "When using nested folders (/ as a separator in the account config), your folder names may not contain 'new', 'cur', 'tmp', or 'offlineimap.uidvalidity'."
|
assert component != invalid, "When using nested folders (/ as a separator in the account config), your folder names may not contain 'new', 'cur', 'tmp', or 'offlineimap.uidvalidity'."
|
||||||
|
|
||||||
|
assert oldername.find('./') == -1, "Folder names may not contain ../"
|
||||||
|
assert not foldername.startswith('/'), "Folder names may not begin with /"
|
||||||
oldcwd = os.getcwd()
|
oldcwd = os.getcwd()
|
||||||
os.chdir(self.root)
|
os.chdir(self.root)
|
||||||
os.makedirs(folderdir, 0700)
|
os.makedirs(foldername, 0700)
|
||||||
for subdir in ['cur', 'new', 'tmp']:
|
for subdir in ['cur', 'new', 'tmp']:
|
||||||
os.mkdir(os.path.join(folderdir, subdir), 0700)
|
os.mkdir(os.path.join(foldername, subdir), 0700)
|
||||||
# Invalidate the cache
|
# Invalidate the cache
|
||||||
self.folders = None
|
self.folders = None
|
||||||
os.chdir(oldcwd)
|
os.chdir(oldcwd)
|
||||||
|
Loading…
Reference in New Issue
Block a user