On 16/10/2010 7:41 AM, Kevin A. McGrail wrote:
What one should disallow is exactly two periods in a row. One,
three, or more than three won't have the effect of climbing a
filesystem's directory tree.
Watch out for tricky mime-encoded subjects too.
This also leaves lots of room for problems so I'd recommend the
QueueID as the basis for the filename. It's unique, dos proof and
filesystem safe.
I can see that this might cause a few problems.
The issue here is that the email, as a .eml file, is going to be scooped
up by a daemon that watches a particular folder. It then gets sucked up
into a proprietary EDMS. The different tokens in between the underscores
are parsed out by the edms and the subject needs to be kept (fairly)
intact so that it can be found (and recognised) at a later date.
Obviously if I change the file name to the queue-id I would lose all this.
In retrospect I don't think the subject will cause any problems at all.
For example, if the subject is set to ../../hello world then the actual
file name it gets copied to would be:
/tmp/symlink/Mail_11-Email_../../hello world.eml
which means that the file name itself is "Mail_11-Email_../../hello
world.eml" which /should/ cause no problems (unless of course the
Windoze based edms barfs - which is the suppliers problem.
N/
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
