LuKreme wrote:
On 28-Feb-10 11:03, Mark Sapiro wrote:
SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION = True
Would that be considered unsafe?
I mean, it SEEMS unsafe, but is it really?
It could be. Suppose I send a message to your list with an attached evil_app.exe file that I call Content-Type: text/plain without a charset. This file now gets scrubbed stored on your server and is accessable in your archives as a .exe file, so if someone retrieves it and tries to open it, it will open as an executable.
If it were stored with an appropriate extension for its MIME type, attempting to open it would probably try to open it with a text viewer and just display garbage.
On the other hand, if you don't scrub_nondigest, it was already delivered to your list's message and MIME digest members with it's original file name and extension, and this has no effect on that, and that's probably the more serious risk.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan