Maybe I'm overlooking something, but the code makes me assuming that path traversals could work based on the recipient e-mail address (e.g. ../../alice@example.net). Note that I did not follow up this further to check if it allows e.g. injections based on this.
Maybe I'm overlooking something, but the code makes me assuming that path traversals could work based on the recipient e-mail address (e.g.
../../alice@example.net). Note that I did not follow up this further to check if it allows e.g. injections based on this.