nmh-workers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] RFC 2047 vs RFC 2231 encoding for MIME parameters


From: David Levine
Subject: Re: [Nmh-workers] RFC 2047 vs RFC 2231 encoding for MIME parameters
Date: Thu, 06 Oct 2016 23:11:13 -0400

Lyndon wrote:

> > On Oct 6, 2016, at 5:20 AM, David Levine <address@hidden> wrote:
> > 
> > The /etc/passwd or relative pathanme will be ignored, and a name of
> > the form message#.part#.subtype will be used instead (assuming no
> > profile override).
>
> I think this is very wrong behaviour.
>
> Filenames in the attachment meta-data are suggestions.  But they can be very 
> valid suggestions, and shouldn't be ignored for arbitrary reasons.

I don' think they are.

> But leading paths must be ignored, as security dictates.
>
> The safest course of action is:
>
> 1) Take the basename of the suggested filename.

But I wouldn't consider the likely result with filename=/foo/bar/README
to be safest.

> 2) Perform an exclusive open+create of the filename.
>
> 2a) If the file exists, and we are interactive, prompt for a replacement name 
> (or to overwrite); else (2c)

That can be configured with -clobber ask, but that's not the default for
(decades of) historical precedent.

I don't think we should change the default here.  It's easy enough for
users to override.

David



reply via email to

[Prev in Thread] Current Thread [Next in Thread]