james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <robertburrelldon...@gmail.com>
Subject [smtp] VirtualUserTable.ROLE
Date Sun, 06 Sep 2009 10:50:45 GMT
the Service method in ValidRcptHandler[1] contains

          if (tableName == null || tableName.equals("")) {
              table = (VirtualUserTable) arg0.lookup(VirtualUserTable.ROLE);
          } else {
              table = ((VirtualUserTableStore)
arg0.lookup(VirtualUserTableStore.ROLE)).getTable(tableName);
          }

this raises questions about injection

 AFAICT VirtualUserTable.ROLE is only used for ValidRcptHandler

IMHO it would have been more nature for the table name check to be
performed in VirtualUserTableStore[2], with the default returned when
null or empty string is passed to getTable. this would allow
VirtualUserTableStore to be injected and used in any case.

opinions?

- robert

[1] http://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/ValidRcptHandler.html
[2] http://james.apache.org/server/head/xref/org/apache/james/api/vut/VirtualUserTableStore.html

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message