[Mimedefang] Exporting an eml file from MIMEDefang

[Kris Deugau]

kd6lvw at yahoo.com wrote:
> --- On Fri, 10/15/10, Kevin A. McGrail <KMcGrail at PCCC.com> wrote:
>> ...
>> Something like $subject =~ s/[^-a-z0-9 _]//i; would be a good start.
> 
> A start it is.  One should allow for punctuation at the end, as such is proper writing style.  Also, certain punctuation marks (e.g. comma, slash, or colon - the latter especially in "Re:") also occur in the middle of subjects.
> 
> What one should disallow is exactly two periods in a row.  One, three, or more than three won't have the effect of climbing a filesystem's directory tree.
> 
> Watch out for tricky mime-encoded subjects too.

Well, the idea is to block malicious Subject: lines from causing 
problems by writing somewhere on the filesystem you didn't expect... 
only allowing a small subset of the available characters and replacing 
everything else with an underscore is quite reasonable IMO.

Put another way..  Why would you *allow* a process to create a file that 
has a name like:

/path/to/#$%&**%@@#@%%^$&%.foo...blarch-bha.eml

?

Other processes may well choke on that in their own uniquely nasty ways.

-kgd