james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tellier Benoit (JIRA)" <server-...@james.apache.org>
Subject [jira] [Commented] (JAMES-2190) Any sieve script provided should be checked for its size to prevent DoS
Date Wed, 18 Oct 2017 09:14:02 GMT

    [ https://issues.apache.org/jira/browse/JAMES-2190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209033#comment-16209033

Tellier Benoit commented on JAMES-2190:

I think that this kind of vulnerability might be more spead that the simple use of Sieve scripts.

 - Do we limit size of Append emails via IMAP, JMAP? Custom flags? Annotation? etc..

We might need a real validation about user input and resource exhaustion in general, IMO.
Maybe we need to have this in a separated tickets.

> Any sieve script provided should be checked for its size to prevent DoS
> -----------------------------------------------------------------------
>                 Key: JAMES-2190
>                 URL: https://issues.apache.org/jira/browse/JAMES-2190
>             Project: James Server
>          Issue Type: Improvement
>            Reporter: Matthieu Baechler
> Sieve scripts are basically files that will be handled by the server.
> It requires to fit in memory for being executed so it would make sense to ensure it's
not too big before accepting or loading it so that it's not a DoS vector.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message