mhonarc-dev

invalid link label for a message attachment if file name is MIME encoded.

2003-02-03 20:08:08
Hi,list!

If attachment file name is MIME encoded with multibyte language,
a link label to an attachment file is incorrect.
I think this is caused by to avoid any potential XSS.

This is a sample original mail 
------
 :
Content-Type: application/octet-stream; name="
        =?ISO-2022-JP?B?GyRCJSIlJCUmGyhC?=.xls"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="
        =?ISO-2022-JP?B?GyRCJSIlJCUmGyhC?=.xls"
 :
-------
"=?ISO-2022-JP?B?GyRCJSIlJCUmGyhC?=.xls" should be decode to

1b  24 42 2522 2524 2526 1b  28 42 2e 78 6c 73
ESC $  B                 ESC (  B  .  x  l  s

But mhexternal.pl decodes and htmlizes to
1b 24 42 25 26 71 75 6f 74 3b 2524 2526 61 6d 70 3b 1b  28 42 2e 786c 73
ESC $  B    &  q  u  o  t  ;         &  a  m  p  ;  ESC (  B  .  x l s

0x2522 -> 0x25 &quot , 0x2526 -> 0x25 &amp


line 237-238 in mhexternal.pl v2.13,
if ($nameparm) { 
        $namelabel = mhonarc::htmlize($nameparm); 
 :

line 941 in readmail.pl v2.31
    $filename =~ s%.*[/\\:]%%;  # Remove any path component

I'm using now with comment out these lines (T_T)
Do you have any idea ?
Sorry for my poor English ...
-----------
Tomohiko Sugihara


---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV