[Bug 4448] Directory traversal vulnerability in MimeBodyPart.getFileName(): CVE-2005-1105

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: <bugzilla-daemon_at_kenai.com>
Date: Fri, 12 Aug 2011 06:59:44 +0000 (GMT)

http://kenai.com/bugzilla/show_bug.cgi?id=4448

Bill Shannon <shannon_at_kenai.com> changed:

           What |Removed |Added
----------------------------------------------------------------------------
             Status|NEW |RESOLVED
         Resolution| |INVALID

--- Comment #1 from Bill Shannon <shannon_at_kenai.com> 2011-08-12 06:59:43 ---
I don't know why you think this is a JavaMail bug. JavaMail isn't
writing to the file. JavaMail isn't traversing any directories.

JavaMail just returns the filename information that the sender of the
message provided. For security purposes, you should consider it junk.
Before using it, you should validate it, just like any user input.

It's no more or less valid than the From address in the message.

-- 
Configure bugmail: http://kenai.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.