On 30.3.2012, at 14.37, Christoph Bußenius wrote: > in our dovecot 2.0 setup with shared folders, users can make dovecot create > directories outside their mail directory. Which is a bit scary imho. > > The following command: > > . create inbox.shared.abc123 > > or even > > . create "inbox.shared.strange &ANY- characters" > > -- even though it will fail with a "permission denied" error -- will create a > directory like "/mail/users/strange &ANY- characters". That directory will > only contain a subdirectory "Maildir" and therein dovecot-acl-list.
Fixed: http://hg.dovecot.org/dovecot-2.0/rev/b15889b82258
