[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original f

From: Ken Hornstein
Subject: Re: [Nmh-workers] mhstore RFE: add facility to manipulate the original filename
Date: Tue, 03 Jun 2014 08:14:02 -0400

>> Wearing my sys-admin hat, I've be far more comfortable with people
>> that really know what they are doing sanitize things within nmh (one
>> place), rather than having end users (who are not always fully aware
>> of various trojan techniques or concerned if they do know).
>Agreed.  I wouldn’t mind too much having to do it myself, but
>this argument makes good sense.

Two points:

- I'm not sure the nmh authors are necessarily more qualified than anyone
  else to decide what encompasses a "sanitized" filename.
- We don't do any sanitization now; if it looks "dodgy", we chuck it and
  generate our own filename.  Well, it's even slightly more confusing
  than that.  The exact steps are:

  - Convert to the local character set, converting any unconvertable
    characters to '_'.
  - Reject filenames that start with a '/', '.', '!', '|' (I believe the
    latter two are because of the way nmh overloads the "storeproc"
    functionality") or any filename that contains a '%'.

So ... not exactly exhaustive, and a bit weird to match nmh implementation


reply via email to

[Prev in Thread] Current Thread [Next in Thread]