filename checks = wrong filename report

[Matt Kettler]

Scott Silva wrote:
> Julian probably just sanitized everything to reduce code complexity. 
> Much easier then another 1000 lines of code to figure out IF something 
> can be bad.
> 

Again, the syslog is not sanitized, so the "sanitized everything" doesn't make 
sense, because it isn't all sanitized.


However, Julian has explained in a different post the possibility of embedding a 
mime section to create an attachment from the filename. I find that a bit remote 
as they'd have to guess the mime boundary string, and would only be easy if 
MailScanner is doing something foolish like using non-random boundary strings. I 
doubt MailScanner is so foolish, but even as a long-shot it is somewhat worth 
protecting against.

In that context, that threat also wouldn't be present in syslog, so it would be 
safe to send it to syslog. Of course, this doesn't protect you against buffer 
overflows on syslog, but that could be fixed with a much less aggressive 
sanitation method (ie: removing unprintables, and limiting the length), which 
I'm guessing Julian already does and wouldn't have been visible here.


So, Julian's got the right idea, and it's probably a good one despite the very 
remote chance of anyone successfully exploiting it. However, it clearly doesn't 
happen for any of the reasons Scott and I discussed.