AW: AW: Problems with TNEF and long filenames
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Jan 31 11:56:52 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fair enough. It will be in the next release.
Ehle, Roland wrote:
> Jules,
>
> thanks again for your help.
>
> Just to have a better understanding: the filename check probably takes place after unpacking TNEF files? If so, I do not see a security problem.
>
> Regards,
> Roland
>
>
> Jules wrote:
> Well I have found it, but I'm a bit reluctant to change it:
>
> $safename = $message->MakeNameSafe($_->longname, $dir);
> push @replacements, $safename;
> #print STDERR "Safe name is \"$safename\"\n";
> $message->{entity}->attach(Type => "application/octet-stream",
> Encoding => "base64",
> Disposition => "attachment",
> Filename => $safename,
> Path => $filename);
>
> Putting a dangerous filename back in the e-mail is a bit dodgy from a
> security point of view. But I could change
> Filename => $safename,
> to
> Filename => $_->longname,
> which should fix it.
>
> What does anyone think?
>
Jules
- --
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 1012)
Comment: (pgp-secured)
Charset: ISO-8859-1
wj8DBQFHobeFEfZZRxQVtlQRAof8AJ9NRDccA3XBvahCHltCRWmx91rBJQCgv3md
IM6HIN8EHG3PXE1kWZ11tFU=
=rpIj
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list