At 01:05 AM 2/11/2009, Victor Duchovni wrote:
On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote: This is a bad idea. You are allowing external parties to construct mailbox filenames on your system. Potential for various directory pathname injection attacks:user+./../../not/where/you/exp...@example.com You must specifically designate which folders are addressible in this way, or at least limit the character-set of acceptable extensions.
Grr, a very valid point. I'll try to put something together that only uses the maildir that's in the database. Better anyway because then it will work from when the account is created instead of having to manually tweak the maildir (which is what I did this time). More to come ...
Rick
