LuKreme wrote: >On 28-Feb-10 11:03, Mark Sapiro wrote: >> SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION = True > >Would that be considered unsafe? > >I mean, it SEEMS unsafe, but is it really?
It could be. Suppose I send a message to your list with an attached evil_app.exe file that I call Content-Type: text/plain without a charset. This file now gets scrubbed stored on your server and is accessable in your archives as a .exe file, so if someone retrieves it and tries to open it, it will open as an executable. If it were stored with an appropriate extension for its MIME type, attempting to open it would probably try to open it with a text viewer and just display garbage. On the other hand, if you don't scrub_nondigest, it was already delivered to your list's message and MIME digest members with it's original file name and extension, and this has no effect on that, and that's probably the more serious risk. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
