On September 25, 1998 at 16:26, "John R. LoVerso" wrote:
> > No, it will never be the default. "usenameext" opens create a security
> > hole. For example, I can send a message with a filename of ".htpasswd".
>
> Not "usename", but "usenameext". If you send such a filename, won't
> MHonArc just create the file called "bin00001.htpasswd"?
Actually: "htp00001.htpasswd". The prefix is derived from the extension.
Hmmm, cannot think of any security problems off-hand. You still have a
problem with extension ambiguity and content-type vs extension
conflicts. I.e. There is no way to guarantee that the extension
provided matches the supplied content-type. For example, content-type
equals application/postscript but the filename given is "file.doc". Or
more likely, text/plain with a filename of "title.doc". Plus, not
everyone/system use extensions.
It is trivial for people to add "usenameext" if they want it. Keying
off the content-type is the proper way to do things. Deviations should
not be the default, and should only occur if the user requests it.
--ewh
----
Earl Hood | University of California: Irvine
[EMAIL PROTECTED] | Electronic Loiterer
http://www.oac.uci.edu/indiv/ehood/ | Dabbler of SGML/WWW/Perl/MIME
