At 01:31 AM 2/11/2009, post...@corwyn.net wrote:
At 01:05 AM 2/11/2009, Victor Duchovni wrote:
On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote:
This is a bad idea. You are allowing external parties to construct
mailbox filenames on your system. Potential for various directory pathname
injection attacks:
user+./../../not/where/you/exp...@example.com
You must specifically designate which folders are addressible in this way,
or at least limit the character-set of acceptable extensions.
Now it uses the data already in the table. Better?
select
if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(substring_index(maildir,'/',2),length(substring_index(maildir,'/',2))-instr(substring_index(maildir,'/',2),'+'
)),'/'),CONCAT(maildir,'Maildir/')) from mailbox where username='%s'
and active='1'
Rick
