[Mimedefang] Exporting an eml file from MIMEDefang
Kris Deugau
kdeugau at vianet.ca
Mon Oct 18 13:06:58 EDT 2010
kd6lvw at yahoo.com wrote:
> --- On Fri, 10/15/10, Kevin A. McGrail <KMcGrail at PCCC.com> wrote:
>> ...
>> Something like $subject =~ s/[^-a-z0-9 _]//i; would be a good start.
>
> A start it is. One should allow for punctuation at the end, as such is proper writing style. Also, certain punctuation marks (e.g. comma, slash, or colon - the latter especially in "Re:") also occur in the middle of subjects.
>
> What one should disallow is exactly two periods in a row. One, three, or more than three won't have the effect of climbing a filesystem's directory tree.
>
> Watch out for tricky mime-encoded subjects too.
Well, the idea is to block malicious Subject: lines from causing
problems by writing somewhere on the filesystem you didn't expect...
only allowing a small subset of the available characters and replacing
everything else with an underscore is quite reasonable IMO.
Put another way.. Why would you *allow* a process to create a file that
has a name like:
/path/to/#$%&**%@@#@%%^$&%.foo...blarch-bha.eml
?
Other processes may well choke on that in their own uniquely nasty ways.
-kgd
More information about the MIMEDefang
mailing list