Skip to content

check imap attachment symlink on the resolved destination path#69194

Open
Samin061 wants to merge 1 commit into
apache:mainfrom
Samin061:imap-symlink-destination
Open

check imap attachment symlink on the resolved destination path#69194
Samin061 wants to merge 1 commit into
apache:mainfrom
Samin061:imap-symlink-destination

Conversation

@Samin061

@Samin061 Samin061 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

ImapHook writes each downloaded attachment under local_output_directory, but _is_symlink passed the bare attachment name to os.path.islink, so it inspected a path relative to the process working directory rather than the file that gets opened. A symlink planted at the real destination slipped past the check and the following open(..., "wb") wrote through it, so an attacker-controlled attachment name and payload could overwrite the link target. Resolve the destination with _correct_path before the symlink check so the file actually being written is the one inspected.


Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

@SameerMesiah97 SameerMesiah97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:providers provider:imap ready for maintainer review Set after triaging when all criteria pass.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants