[Mimedefang] Bad, bad_filename filtering ?

Jeffrey Goldberg jeffrey at goldmark.org
Thu Oct 9 12:15:01 EDT 2003


On Thu, 9 Oct 2003, James B. Huber wrote:

>   I don't understand what "bad" thing you believe some buggy MUA's
> might do in the above example. But...I do not see it is relevant to
> my question:

It is very relevant.  After all, if MUAs worked properly, we wouldn't need
to check file names at all.  The reason that we do is that some popular
MUAs will treat

  Content-type: text/plain; filename=foo.exe

as an executable instead of as text/plain.

> Shouldn't we actually be parsing out the filename stripping
> any "path" component so we actually only get the filename
> portion ? This would not effect either of the 2 examples
> David points out....

If you are confident that the MUAs will do the same, and not be fooled
into executing something because of tricks in the the path component, then
that would be fine.  I haven't tested, but I do not have that confidence.

> Am I missing something ?

I think that you might be assuming that MUAs behave in reasonable ways.

-j


-- 
Jeffrey Goldberg                            http://www.goldmark.org/jeff/
 Relativism is the triumph of authority over truth, convention over justice
 Hate spam?  Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/



More information about the MIMEDefang mailing list