Re: [exim] mime_filename and &# encoding

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] mime_filename and &# encoding
On 2014-06-27, Sean Donelan <sean@???> wrote:

> It appears the RFC2047 decode in Exim can be tricked, and the spammers
> have figured out how to exploit it.
>
> For example, this is a recent MIME part (I added "_")
>
>     Content-Type: application/x-zip-compressed;
>          name="&_#_1057_;opy_of_Document_ID7851.zip"
>     Content-Transfer-Encoding: base64
>     Content-Disposition: attachment;
>          filename="&_#_1057_;opy_of_Document_ID7851.zip"

>
> When Exim expands the variable $mime_filename the result
> is only "&_#_1057" and nothing else (again _'s added)


That's not RFC2047.

It could be the semicolon that's causing problems.

It looks like they want U+0441 'С' instead of 'C' but that
encoding is broken, applicable to only HTML and XML. I wonder who
they're fooling.

Still, it looks like a bug in exim. I'm fairly sure the RFCs say that
semicolons are not significant inside quoted words.

--
umop apisdn