AW: AW: Problems with TNEF and long filenames

Ehle, Roland roland at
Thu Jan 31 11:07:39 GMT 2008


thanks again for your help.

Just to have a better understanding: the filename check probably takes place after unpacking TNEF files? If so, I do not see a security problem.


Jules wrote:
Well I have found it, but I'm a bit reluctant to change it:

          $safename = $message->MakeNameSafe($_->longname, $dir);
          push @replacements, $safename;
          #print STDERR "Safe name is \"$safename\"\n";
          $message->{entity}->attach(Type => "application/octet-stream",
                                     Encoding => "base64",
                                     Disposition => "attachment",
                                     Filename => $safename,
                                     Path => $filename);

Putting a dangerous filename back in the e-mail is a bit dodgy from a
security point of view. But I could change
                                     Filename => $safename,
                                     Filename => $_->longname,
which should fix it.

What does anyone think?

More information about the MailScanner mailing list