[Mimedefang] Exporting an eml file from MIMEDefang

Kevin A. McGrail KMcGrail at PCCC.com
Fri Oct 15 05:26:39 EDT 2010


His point, I believe, is more to add something to sanitize the subject line.  It doesn't matter if they are in another dir.

Otherwise, a subject such as ../../../../.... could have exploit/dos potential.

Something like $subject =~ s/[^-a-z0-9 _]//i; would be a good start.
>> Dumping files into /tmp and giving an attacker substantial control over
>> the filename is a recipe for trouble.
>Thanks for the input David. The folder this stuff is going into is 
>actually an SMB mounted folder on another machine. In practise (or 
>rather production) I might well make this a subfolder of /mnt for 
>safety's sake

More information about the MIMEDefang mailing list