/offlineimap/head: changeset 210

Preventive security: folder names may not contain ./ or start with /.
This commit is contained in:
jgoerzen 2002-08-08 03:44:37 +01:00
parent f086c3ff0a
commit b56304090a
2 changed files with 6 additions and 3 deletions

View File

@ -13,6 +13,7 @@ offlineimap (3.2.2) unstable; urgency=low
* Added support for /-separated Maildirs -- that is, hierarchical * Added support for /-separated Maildirs -- that is, hierarchical
Maildir trees. Fixes [complete.org #28] and, for Debian, Maildir trees. Fixes [complete.org #28] and, for Debian,
Closes: #155460. Closes: #155460.
* Preventitive security: Folder names may not contain ./ or start with /.
-- John Goerzen <jgoerzen@complete.org> Thu, 25 Jul 2002 08:22:25 -0500 -- John Goerzen <jgoerzen@complete.org> Thu, 25 Jul 2002 08:22:25 -0500

View File

@ -46,12 +46,14 @@ class MaildirRepository(BaseRepository):
for invalid in ['new', 'cur', 'tmp', 'offlineimap.uidvalidity']: for invalid in ['new', 'cur', 'tmp', 'offlineimap.uidvalidity']:
for component in foldername.split('/'): for component in foldername.split('/'):
assert component != invalid, "When using nested folders (/ as a separator in the account config), your folder names may not contain 'new', 'cur', 'tmp', or 'offlineimap.uidvalidity'." assert component != invalid, "When using nested folders (/ as a separator in the account config), your folder names may not contain 'new', 'cur', 'tmp', or 'offlineimap.uidvalidity'."
assert oldername.find('./') == -1, "Folder names may not contain ../"
assert not foldername.startswith('/'), "Folder names may not begin with /"
oldcwd = os.getcwd() oldcwd = os.getcwd()
os.chdir(self.root) os.chdir(self.root)
os.makedirs(folderdir, 0700) os.makedirs(foldername, 0700)
for subdir in ['cur', 'new', 'tmp']: for subdir in ['cur', 'new', 'tmp']:
os.mkdir(os.path.join(folderdir, subdir), 0700) os.mkdir(os.path.join(foldername, subdir), 0700)
# Invalidate the cache # Invalidate the cache
self.folders = None self.folders = None
os.chdir(oldcwd) os.chdir(oldcwd)