kd6...@yahoo.com wrote:
--- On Fri, 10/15/10, Kevin A. McGrail <kmcgr...@pccc.com> wrote:
...
Something like $subject =~ s/[^-a-z0-9 _]//i; would be a good start.
A start it is. One should allow for punctuation at the end, as such is proper writing
style. Also, certain punctuation marks (e.g. comma, slash, or colon - the latter
especially in "Re:") also occur in the middle of subjects.
What one should disallow is exactly two periods in a row. One, three, or more
than three won't have the effect of climbing a filesystem's directory tree.
Watch out for tricky mime-encoded subjects too.
Well, the idea is to block malicious Subject: lines from causing
problems by writing somewhere on the filesystem you didn't expect...
only allowing a small subset of the available characters and replacing
everything else with an underscore is quite reasonable IMO.
Put another way.. Why would you *allow* a process to create a file that
has a name like:
/path/to/#$%&**%@@#...@%%^$&%.foo...blarch-bha.eml
?
Other processes may well choke on that in their own uniquely nasty ways.
-kgd
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang