Re: [exim-dev] [Bug 2737] New: $mime_filename considered as …

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
CC: exim-dev
Assumpte: Re: [exim-dev] [Bug 2737] New: $mime_filename considered as Tainted
On Thu, 6 May 2021, admin--- via Exim-dev wrote:

> As per the documentation
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECTscanmimepart
> the option 'decode = $mime_filename' can be used however within the MIME ACL.
> This now fails due to the filename being tainted.

     ...        ...


> Using 'decode = default' solves the issue and the documentation also does
> mention "However, you should keep in mind that $mime_filename might contain
> anything.". So not sure how this should be dealt with. I can only see 2
> options:
>
> 1. Remove the ability to use decode = $mime_filename or
> 2. Remove the taint check on $mime_filename and warn the OP that this is
> dangerous (this is probably not a good idea)
>
>
> Is there an alternative approach?


Yes. Detaint in the usual way, probably with a lookup.

If you are decoding the mime file with its real name you must
have a reason, perhaps to make them available on a web page.
It would then be reasonable to check that the filename was
sensible in that context.
I wouldn't see a database looking as the mot obvious way to sanitize
the filename, but we do already have the tools to turn a pattern
matching into a lookup, so the flexibility is there.

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???