You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/11/10 13:50:00 UTC
[jira] [Commented] (JAMES-2190) Any sieve script provided should be
checked for its size to prevent DoS
[ https://issues.apache.org/jira/browse/JAMES-2190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17441748#comment-17441748 ]
Benoit Tellier commented on JAMES-2190:
---------------------------------------
As I was fixing some issues on our ManageSieve implementation (and got it working with TB !!! - there is a video proof of that) I ended up re-reading this issue.
Nowadays an admin can define a quota that acts as an upper bound to the total amount of Sieve data stored and thus the maximum size of a script as well.
As such there is an easy mean to prevent abuses you describe: set a low limit corresponding to the maximum size of a script an admin would be willing to execute - for instance 16KB is plenty enough for expressivity yet sould low enough to not be too impactful on the server...
Sure it is not enabled by default yet it can be easily discovered: webAdmin, CLI...
But [~matthieu] I am pretty sure we can still add an option in sievereposiotry.xml file, contribution welcomed!
> Any sieve script provided should be checked for its size to prevent DoS
> -----------------------------------------------------------------------
>
> Key: JAMES-2190
> URL: https://issues.apache.org/jira/browse/JAMES-2190
> Project: James Server
> Issue Type: Improvement
> Reporter: Matthieu Baechler
> Priority: Major
>
> Sieve scripts are basically files that will be handled by the server.
> It requires to fit in memory for being executed so it would make sense to ensure it's not too big before accepting or loading it so that it's not a DoS vector.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org