Re: Easing restrictBox restrictions
Tom -
You aren't missing anything. restrictBox is implemented in a very
paranoid fashion, and almost certainly can be relaxed safely.
In designing the distribution rules for restrictBox, I didn't go by "what
is unsafe"; I went by "what might under some set of circumstances (that I
don't necessarily even know about) be unsafe." The whole idea being that
I don't have to deal with some security alert because restrictBox failed
to check for something. Arguably, I should go further and prohibit "%"
under restrictBox as well... 
We don't use restrictBox here.
On Thu, 8 May 2008, Tom Leach wrote:
> I need to ease the folder name restrictions imposed by restrictBox in
> mailboxfile() but I have a couple of questions. First off, I have
> restrictBox set to -1 so all flags are set.
> Does the restriction of "//" have any meaning if we're not using Samba on a
> Linux system? I'm trying to see where that would be a path security problem
> but I just don't see an issue unless it could be a cifs one.
> Second, we're moving from mbox to mix and an older (non-restrictBox set)
> uw_imapd, and I have some people with .. in their folder names. The
> restriction of ".." is preventing me from converting those boxes (and the use
> of them by the owners) so i was thinking of changing
> strstr (name,"..") to strstr (name,"/..") || strstr (name,"../") but I wanted
> opinions on what cases I was missing. I've tried tossing in %2f to see if
> that would be parsed as a / but so far, it's always be literal
> (foo%2f..%2fbar instead of foo/../bar).
> So, opinions on what I'm missing???
> Thanks,
> Tom Leach
> leach <at> coas.oregonstate.edu
> _______________________________________________
> Imap-uw mailing list
> Imap-uw <at> u.washington.edu
> https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
>
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
Imap-uw <at> u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
RSS Feed