[Mimedefang] Exporting an eml file from MIMEDefang
Kevin A. McGrail
KMcGrail at PCCC.com
Fri Oct 15 05:26:39 EDT 2010
Nigel,
His point, I believe, is more to add something to sanitize the subject line. It doesn't matter if they are in another dir.
Otherwise, a subject such as ../../../../.... could have exploit/dos potential.
Something like $subject =~ s/[^-a-z0-9 _]//i; would be a good start.
Regards,
KAM
><snip>
>> Dumping files into /tmp and giving an attacker substantial control over
>> the filename is a recipe for trouble.
>
>Thanks for the input David. The folder this stuff is going into is
>actually an SMB mounted folder on another machine. In practise (or
>rather production) I might well make this a subfolder of /mnt for
>safety's sake
More information about the MIMEDefang
mailing list