[Dovecot] Dovecot allows creation of folders outside of a user's directory
Timo Sirainen
tss at iki.fi
Wed Apr 4 04:35:13 EEST 2012
On 30.3.2012, at 14.37, Christoph Bußenius wrote:
> in our dovecot 2.0 setup with shared folders, users can make dovecot create directories outside their mail directory. Which is a bit scary imho.
>
> The following command:
>
> . create inbox.shared.abc123
>
> or even
>
> . create "inbox.shared.strange &ANY- characters"
>
> -- even though it will fail with a "permission denied" error -- will create a directory like "/mail/users/strange &ANY- characters". That directory will only contain a subdirectory "Maildir" and therein dovecot-acl-list.
Fixed: http://hg.dovecot.org/dovecot-2.0/rev/b15889b82258
More information about the dovecot
mailing list