On March, 16 1998 at 10:7, Wade VanBuskirk wrote:
I plan to notify any senders with this disfigured "format" that their
mailer system needs to be updated.
FIle names: I understand the duplicate filenames issue. I also noticed
the mention of an unnamed "security issue" and utilization of a seperate
directory. It that on a per file basis? Do you mean Trojan horses as
attachements? Are "../" not removed from filenames? Sorry, I fail to
understand the point.
Any leading pathname component is removed from a filename. To prevent
duplicate collisions, you can use the "subdir" option to the external
file filter. Note, you still may have a security problem. For
example, the filename could be ".htaccess", and if using Apache and you
allow .htaccess files, you may have a problem. Someone could send two
attachments, a .htacess file to set some permissions, and a file to
exploit the acess given to it.
The "usename" option should be avoided. If the data is typed
correctly, MHonArc will create a filename with the appropriate
extension. Only use "usename" when you understand all the security
Earl Hood | University of California: Irvine
ehood(_at_)medusa(_dot_)acs(_dot_)uci(_dot_)edu | Electronic
http://www.oac.uci.edu/indiv/ehood/ | Dabbler of SGML/WWW/Perl/MIME