From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id B7FF46DE02B1 for ; Mon, 8 Jun 2015 11:41:42 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.729 X-Spam-Level: X-Spam-Status: No, score=-0.729 tagged_above=-999 required=5 tests=[AWL=0.090, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qZtRctZlEjo for ; Mon, 8 Jun 2015 11:41:40 -0700 (PDT) Received: from mail-yk0-f177.google.com (mail-yk0-f177.google.com [209.85.160.177]) by arlo.cworth.org (Postfix) with ESMTPS id 5B1236DE02D2 for ; Mon, 8 Jun 2015 11:41:40 -0700 (PDT) Received: by ykfl8 with SMTP id l8so56277649ykf.1 for ; Mon, 08 Jun 2015 11:41:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hLsFt/ZtgTpTp2w8HaK0QiawoCwdSLoFDHjTc8BHBEk=; b=wb9BRcHF0D69Gy3nVTfTWuqDnwldGVmcgBVwBCICUwUP9eJi8K3GUlZHhABgvOeKJC ehH95WomIq6qS72QedC/9oyA+PNIlU5rRJvVVzGSKOvgCql304pnVpLLlWsTmE/pWZc3 hJK+5XWR9xyg24us/VjD2OerVxxn7gSmTeKcUb5KFY7L9xiCA5tFbZW5Di5m8QLQKGxP qbtoM4IdDFqZyptcJTE5XxYZxWPvqMZdZ1H9mWovmgxFELdTmBJUwntmH4ufN4DkCMwH 78G23doK5jWempK3Nup1LvGFbljDLAXKanhSnPvBcoPCJCnCYbKL0Z9XfmRuGHAoZSe6 xcBg== MIME-Version: 1.0 X-Received: by 10.13.218.71 with SMTP id c68mr17715709ywe.126.1433788897355; Mon, 08 Jun 2015 11:41:37 -0700 (PDT) Received: by 10.129.123.197 with HTTP; Mon, 8 Jun 2015 11:41:37 -0700 (PDT) In-Reply-To: <871thmivpt.fsf@maritornes.cs.unb.ca> References: <871thmivpt.fsf@maritornes.cs.unb.ca> Date: Mon, 8 Jun 2015 20:41:37 +0200 Message-ID: Subject: Re: BUG: maildir flags sync with database relative path results in corrupted filename From: Morgan Veyret To: David Bremner , notmuch@notmuchmail.org Content-Type: multipart/alternative; boundary=94eb2c081926e8ee74051805fde2 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2015 18:41:42 -0000 --94eb2c081926e8ee74051805fde2 Content-Type: text/plain; charset=UTF-8 It does the job, now opening the database with a relative path raise a NotmuchError. On Mon, Jun 8, 2015 at 8:02 AM, David Bremner wrote: > Morgan Veyret writes: > > > > > As I understand it's expected that the database path should be absolute > but > > corrupting the database when the path is relative sounds dangerous. > > Thanks for the report. I can see how this could happen, since the > internal functions _notmuch_message_add_file_name and > _notmuch_database_relative_path classify message filenames into absolute > paths starting with the database path and paths relative to the database > root. > > The obvious solution is to reject non-absolute paths in > notmuch_database_open_verbose. A slightly friendlier approach would be > to canonicalize the path, but this might have unforseen consequences for > clients relying on the database path being exactly what they pass in. > > Can you see if the attached patch "fixes" it for you? You'll have to > rebuild notmuch from source. The patch should apply to 0.20 or later. > > > diff --git a/lib/database.cc b/lib/database.cc > index 78a24f7..2a5b82a 100644 > --- a/lib/database.cc > +++ b/lib/database.cc > @@ -847,6 +847,12 @@ notmuch_database_open_verbose (const char *path, > goto DONE; > } > > + if (path[0] != '/') { > + message = strdup ("Error: Database path must be absolute.\n"); > + status = NOTMUCH_STATUS_FILE_ERROR; > + goto DONE; > + } > + > if (! (notmuch_path = talloc_asprintf (local, "%s/%s", path, > ".notmuch"))) { > message = strdup ("Out of memory\n"); > status = NOTMUCH_STATUS_OUT_OF_MEMORY; > > --94eb2c081926e8ee74051805fde2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
It does the job, now opening the database with a rela= tive path raise
a NotmuchError.



On Mon, Jun 8, 2015 at 8:02 AM, Da= vid Bremner <david@tethera.net> wrote:
Morgan Veyret <morgan.veyret@gmail.com> writes:

>
> As I understand it's expected that the database path should be abs= olute but
> corrupting the database when the path is relative sounds dangerous.
Thanks for the report.=C2=A0 I can see how this could happen, since = the
internal functions _notmuch_message_add_file_name and
_notmuch_database_relative_path classify message filenames into absolute paths starting with the database path and paths relative to the database root.

The obvious solution is to reject non-absolute paths in
notmuch_database_open_verbose. A slightly friendlier approach would be
to canonicalize the path, but this might have unforseen consequences for clients relying on the database path being exactly what they pass in.

Can you see if the attached patch "fixes" it for you? You'll = have to
rebuild notmuch from source. The patch should apply to 0.20 or later.


diff --git a/lib/database.cc b/lib/database.cc
index 78a24f7..2a5b82a 100644
--- a/lib/database.cc
+++ b/lib/database.cc
@@ -847,6 +847,12 @@ notmuch_database_open_verbose (const char *path,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 goto DONE;
=C2=A0 =C2=A0 =C2=A0}

+=C2=A0 =C2=A0 if (path[0] !=3D '/') {
+=C2=A0 =C2=A0 =C2=A0 =C2=A0message =3D strdup ("Error: Database path = must be absolute.\n");
+=C2=A0 =C2=A0 =C2=A0 =C2=A0status =3D NOTMUCH_STATUS_FILE_ERROR;
+=C2=A0 =C2=A0 =C2=A0 =C2=A0goto DONE;
+=C2=A0 =C2=A0 }
+
=C2=A0 =C2=A0 =C2=A0if (! (notmuch_path =3D talloc_asprintf (local, "%= s/%s", path, ".notmuch"))) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 message =3D strdup ("Out of memory\n"= );
=C2=A0 =C2=A0 =C2=A0 =C2=A0 status =3D NOTMUCH_STATUS_OUT_OF_MEMORY;


--94eb2c081926e8ee74051805fde2--