On Thu, 6 May 2021, admin--- via Exim-dev wrote:
As per the documentation
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECTscanmimepart
the option 'decode = $mime_filename' can be used however within the MIME ACL.
This now fails due to the filename being tainted.
... ...
Using 'decode = default' solves the issue and the documentation also does
mention "However, you should keep in mind that $mime_filename might contain
anything.". So not sure how this should be dealt with. I can only see 2
options:
1. Remove the ability to use decode = $mime_filename or
2. Remove the taint check on $mime_filename and warn the OP that this is
dangerous (this is probably not a good idea)
Is there an alternative approach?
Yes. Detaint in the usual way, probably with a lookup.
If you are decoding the mime file with its real name you must
have a reason, perhaps to make them available on a web page.
It would then be reasonable to check that the filename was
sensible in that context.
I wouldn't see a database looking as the mot obvious way to sanitize
the filename, but we do already have the tools to turn a pattern
matching into a lookup, so the flexibility is there.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
