Bug#304712: avaMail allows directory traversal in attachments
(CAN-2005-1105)
Florian Weimer
fw at deneb.enyo.de
Tue Apr 24 17:17:16 UTC 2007
* Javier Serrano Polo:
> The JavaMail spec is clear enough about what should (must) do the
> implementation. As Chris already said, it returns the actual message
> content. Security isn't handled in this step. Any implementation
> altering this value doesn't follow the spec. Any application relying on
> extra security checks would be based on a implementation (defeating the
> portability goal), not on the API.
I guess the documentation shoud be clarified:
| Get the filename associated with this part, if possible. Useful if
| this part represents an "attachment" that was loaded from a file. The
| filename will usually be a simple name, not including directory
| components.
Something like "... but such components may be present. Applications
must take care to remove them before creating files with the indicated
name.", perhaps.
More information about the pkg-java-maintainers
mailing list