On Wed, Oct 05, 2016 at 10:49:29AM -0700, Will Yardley wrote: > On Tue, Oct 04, 2016 at 12:16:40PM -0700, Brendan Cully wrote: > > > > Preserve forwarded attachment names in d_filename. > > > > When forwarding an attachment with an non-ascii name, mutt_copy_body() > > mangles the filename when calling mutt_adv_mktemp. Preserve > > the original attachment filename in d_filename. > > Are there any security implications to this? Are there any characters > that should absolutely be sanitized in the filename?
I can't see any for the d_filename. This is only used in the content-disposition header, and is basename and rfc2231 encoded there. Otherwise, mutt isn't using it for anything. Also, the resume and resend code is already doing something similar in mutt_prepare_template(). Of course, if I'm wrong please don't hesitate to speak up, but I don't see a security issue here. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
