Hi Earl, > > If not a tty, we're back to the question. Safer to fail, friendlier > > to decode. > > Decode. How often are real files with "=?...?=" in their name them > encountered?
If you other recent email you said "If we are to be security conscience" and I think that's the right default stance. I can't think of a way of exploiting having a filename with the wrong encoding being decoded anyway, but I prefer to start with allowing nothing and working out what to add than the other way around. The email may be seen at other MUAs that display the filenames differently, but the unpacking left to nmh without checking. The attachments may overwrite one another or not depending whether the MUA sticks to the RFCs, and so unpacking multiple times with different MUAs could give different results. Even if no exploit, there's obviously room for confusion, and that's inevitable if other MUAs don't follow the RFCs. If we do the right thing by the RFCs then we can justify it, have the high ground, and point to mhfixmsg(1) with the user realising they need to tread carefully. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy _______________________________________________ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers