Author: Warren Baker Date: To: exim-dev Subject: Re: [exim-dev] [Bug 2737] New: $mime_filename considered as Tainted
On Thu, May 6, 2021 at 12:57 PM Andrew C Aitchison via Exim-dev <
exim-dev@???> wrote:
>
> > Is there an alternative approach?
>
> Yes. Detaint in the usual way, probably with a lookup.
>
> If you are decoding the mime file with its real name you must
> have a reason, perhaps to make them available on a web page.
> It would then be reasonable to check that the filename was
> sensible in that context.
> I wouldn't see a database looking as the mot obvious way to sanitize
> the filename, but we do already have the tools to turn a pattern
> matching into a lookup, so the flexibility is there.
>
Thanks Andrew. It actually never occurred to me to even try and specify a
lookup after decode = ... - which indeed works just fine and addresses the
issue.
Just fyi, the file name is needed for an external application that does
further analysis and reporting.
