Re: [exim-dev] [Bug 2737] New: $mime_filename considered as …

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Warren Baker
Fecha:  
A: exim-dev
Asunto: Re: [exim-dev] [Bug 2737] New: $mime_filename considered as Tainted
On Thu, May 6, 2021 at 12:57 PM Andrew C Aitchison via Exim-dev <
exim-dev@???> wrote:

>
> > Is there an alternative approach?
>
> Yes. Detaint in the usual way, probably with a lookup.
>
> If you are decoding the mime file with its real name you must
> have a reason, perhaps to make them available on a web page.
> It would then be reasonable to check that the filename was
> sensible in that context.
> I wouldn't see a database looking as the mot obvious way to sanitize
> the filename, but we do already have the tools to turn a pattern
> matching into a lookup, so the flexibility is there.
>



Thanks Andrew. It actually never occurred to me to even try and specify a
lookup after decode = ... - which indeed works just fine and addresses the
issue.
Just fyi, the file name is needed for an external application that does
further analysis and reporting.

--
.warren