[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original f
From: |
Ken Hornstein |
Subject: |
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename |
Date: |
Tue, 03 Jun 2014 08:14:02 -0400 |
>> Wearing my sys-admin hat, I've be far more comfortable with people
>> that really know what they are doing sanitize things within nmh (one
>> place), rather than having end users (who are not always fully aware
>> of various trojan techniques or concerned if they do know).
>
>Agreed. I wouldn’t mind too much having to do it myself, but
>this argument makes good sense.
Two points:
- I'm not sure the nmh authors are necessarily more qualified than anyone
else to decide what encompasses a "sanitized" filename.
- We don't do any sanitization now; if it looks "dodgy", we chuck it and
generate our own filename. Well, it's even slightly more confusing
than that. The exact steps are:
- Convert to the local character set, converting any unconvertable
characters to '_'.
- Reject filenames that start with a '/', '.', '!', '|' (I believe the
latter two are because of the way nmh overloads the "storeproc"
functionality") or any filename that contains a '%'.
So ... not exactly exhaustive, and a bit weird to match nmh implementation
details.
--Ken
- Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename, (continued)
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename, Jon Fairbairn, 2014/06/02
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename, Ken Hornstein, 2014/06/02
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename, Jon Fairbairn, 2014/06/03
Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename, David Levine, 2014/06/02