Bug#304712: avaMail allows directory traversal in attachments (CAN-2005-1105)

Florian Weimer fw at deneb.enyo.de
Tue Apr 24 17:17:16 UTC 2007


* Javier Serrano Polo:

> The JavaMail spec is clear enough about what should (must) do the
> implementation. As Chris already said, it returns the actual message
> content. Security isn't handled in this step. Any implementation
> altering this value doesn't follow the spec. Any application relying on
> extra security checks would be based on a implementation (defeating the
> portability goal), not on the API.

I guess the documentation shoud be clarified:

| Get the filename associated with this part, if possible. Useful if
| this part represents an "attachment" that was loaded from a file. The
| filename will usually be a simple name, not including directory
| components.

Something like "... but such components may be present.  Applications
must take care to remove them before creating files with the indicated
name.", perhaps.




More information about the pkg-java-maintainers mailing list