[Mimedefang] RE: JPEG exploit checking in mimedefang-filter

[Kelson]

Ian Mitchell wrote:
> Snippet from http://www.easynews.com/virus.html:
<snip>
>         @debug = `djpeg -debug $file 2>&1 > /dev/null`;

I've put together a combination of these two functions (which I'll post 
after I've refined it a bit), but I'm always worried about constructing 
a command line from untrusted input.

Does anyone know if the following code (from Tomasz' function) results 
in a shell-safe filename?  The last thing we want is to give people an 
avenue to name files something like "gotcha; run-local-root-exploit /; .jpg"

 >        my $bh = $entity->bodyhandle();
 >        if (defined($bh)) {
 >            my $path = $bh->path();
 >            if (defined($path)) {

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>