[Mimedefang] RE: JPEG exploit checking in mimedefang-filter
Kelson
kelson at speed.net
Tue Sep 28 16:59:45 EDT 2004
Ian Mitchell wrote:
> Snippet from http://www.easynews.com/virus.html:
<snip>
> @debug = `djpeg -debug $file 2>&1 > /dev/null`;
I've put together a combination of these two functions (which I'll post
after I've refined it a bit), but I'm always worried about constructing
a command line from untrusted input.
Does anyone know if the following code (from Tomasz' function) results
in a shell-safe filename? The last thing we want is to give people an
avenue to name files something like "gotcha; run-local-root-exploit /; .jpg"
> my $bh = $entity->bodyhandle();
> if (defined($bh)) {
> my $path = $bh->path();
> if (defined($path)) {
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list