[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] RFC 2047 vs RFC 2231 encoding for MIME parameters

From: Ralph Corderoy
Subject: Re: [Nmh-workers] RFC 2047 vs RFC 2231 encoding for MIME parameters
Date: Thu, 06 Oct 2016 14:22:32 +0100

Hi Earl,

> > If not a tty, we're back to the question.  Safer to fail, friendlier
> > to decode.
> Decode.  How often are real files with "=?...?=" in their name them
> encountered?

If you other recent email you said "If we are to be security conscience"
and I think that's the right default stance.

I can't think of a way of exploiting having a filename with the wrong
encoding being decoded anyway, but I prefer to start with allowing
nothing and working out what to add than the other way around.  The
email may be seen at other MUAs that display the filenames differently,
but the unpacking left to nmh without checking.  The attachments may
overwrite one another or not depending whether the MUA sticks to the
RFCs, and so unpacking multiple times with different MUAs could give
different results.  Even if no exploit, there's obviously room for
confusion, and that's inevitable if other MUAs don't follow the RFCs.

If we do the right thing by the RFCs then we can justify it, have the
high ground, and point to mhfixmsg(1) with the user realising they need
to tread carefully.

Cheers, Ralph.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]