On Thu, May 6, 2021 at 12:57 PM Andrew C Aitchison via Exim-dev < [email protected]> wrote:
> > > Is there an alternative approach? > > Yes. Detaint in the usual way, probably with a lookup. > > If you are decoding the mime file with its real name you must > have a reason, perhaps to make them available on a web page. > It would then be reasonable to check that the filename was > sensible in that context. > I wouldn't see a database looking as the mot obvious way to sanitize > the filename, but we do already have the tools to turn a pattern > matching into a lookup, so the flexibility is there. > Thanks Andrew. It actually never occurred to me to even try and specify a lookup after decode = ... - which indeed works just fine and addresses the issue. Just fyi, the file name is needed for an external application that does further analysis and reporting. -- .warren -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
