Filename problem

[Julian Field]

On Thu22 Jun 06, at 21:08, Jethro R Binks wrote:

> On Thu, 22 Jun 2006, Scott Silva wrote:
>
>> You need to look in the logs to get more detail, as the filename  
>> in the
>> response message is "sanitized", and the real name could be much  
>> longer.
>
> Well there's the thing.  I recall Julian saying reasonably recently  
> that
> it wasn't possible to put the "real" or "original" filename in any  
> logs
> _without_ sanitising it -- for obvious reasons.  Which often makes it
> difficult to enter into a discussion with the user about the nature  
> of the
> original filename, other than guesswork.
>
> Jethro.

That is indeed a problem. But the alternative is someone embedding  
nasty things in a filename for an attachment knowing full well that  
all their text will get inserted into an email message. If they can  
put a virus in the Subject: line (which can be done) then this is  
child's play.
Fancy a very long filename causing a stack overflow in your syslogd  
to exploit a vulnerability resulting in arbitrary code execution?  
Didn't think so.

So I don't ever store any unsanitised data anywhere.

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.