From: Timo Sirainen <tss@iki.fi>
Date: Mon, 7 Sep 2015 10:40:41 +0000 (+0300)
Subject: imap: Don't allow IMAP METADATA to access Dovecot's private server attributes.
X-Git-Tag: 2.2.19.rc1~98
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c07fb2247951f6bc9421d816bb7599efcd84da2e;p=thirdparty%2Fdovecot%2Fcore.git

imap: Don't allow IMAP METADATA to access Dovecot's private server attributes.
---

diff --git a/src/lib-imap-storage/imap-metadata.c b/src/lib-imap-storage/imap-metadata.c
index 5d08bc3919..e1386e8fbc 100644
--- a/src/lib-imap-storage/imap-metadata.c
+++ b/src/lib-imap-storage/imap-metadata.c
@@ -100,14 +100,17 @@ imap_metadata_entry2key(struct imap_metadata_transaction *imtrans,
 		i_assert((*key_r)[0] == '/');
 		*key_r += 1;
 	}
+	if (strncmp(*key_r, MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT,
+		    strlen(MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT)) == 0) {
+		/* Dovecot's internal attribute (mailbox or server).
+		   don't allow accessing this. */
+		return FALSE;
+	}
+	/* Add the server-prefix (after checking for the above internal
+	   attribute). */
 	if (key_prefix != NULL)
 		*key_r = t_strconcat(key_prefix, *key_r, NULL);
-
-	/* skip over dovecot's internal attributes. (server metadata is handled
-	   inside the private metadata.) */
-	return (imtrans->server ||
-		strncmp(*key_r, MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT,
-		    strlen(MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT)) != 0);
+	return TRUE;
 }
 
 static int