Re: Bad Free() ignored with Perl 5

1998-03-16 13:18:10
On March, 16 1998 at 10:7, Wade VanBuskirk wrote:

I plan to notify any senders with this disfigured "format" that their
mailer system needs to be updated.

Good plan.


FIle names: I understand the duplicate filenames issue. I also noticed
the mention of an unnamed "security issue" and utilization of a seperate
directory. It that on a per file basis? Do you mean Trojan horses as
attachements? Are "../" not removed from filenames? Sorry, I fail to
understand the point. 

Any leading pathname component is removed from a filename.  To prevent
duplicate collisions, you can use the "subdir" option to the external
file filter.  Note, you still may have a security problem.  For
example, the filename could be ".htaccess", and if using Apache and you
allow .htaccess files, you may have a problem.  Someone could send two
attachments, a .htacess file to set some permissions, and a file to
exploit the acess given to it.

The "usename" option should be avoided.  If the data is typed
correctly, MHonArc will create a filename with the appropriate
extension.  Only use "usename" when you understand all the security


             Earl Hood              | University of California: Irvine
      ehood(_at_)medusa(_dot_)acs(_dot_)uci(_dot_)edu      |      Electronic 
Loiterer | Dabbler of SGML/WWW/Perl/MIME

<Prev in Thread] Current Thread [Next in Thread>