[Esa-l] HTML.dropper (fwd)
Bjarni R. Einarsson
bre at klaki.net
Fri Jan 19 08:35:01 PST 2001
On 2001-01-18, 19:52:10 (-0800), John D. Hardin wrote:
>
> Hmm. If we're going to modify the subject header to sanitize this, I's
> say simply collapse all runs of blanks. That, or look for a long
> subject header ending with \.[a-z0-9][a-z0-9][a-z0-9] and defang that.
I agree that that is also a good strategy. Bugtraq had more info on
this today, which sorta helps decided which strategy is best:
On 2001-01-19, 09:19:45 (-0000), Shane Hird wrote:
>
> It seems OE is cutting the file name short to a
> specified length when trying to open it (consequently
> chopping off the real extension), but not cutting it
> short when determining which icon to use. (Note that
> the icon choice doesn't seem to be affected like this
> with the subject overflow problem.)
This implies two things:
- Outlook will use the Subject as a file name, if no file name
is provided in the MIME headers. So we have to add the Subject:
line to our list of fields-to-mangle. *sigh* I'm tempted to do
so conditionally - only when filename="" tags are missing from
the MIME headers, since long subject lines are very useful.
- Truncating file names or appending stuff to them may not always
work. Chopping stuff off the front (like I do in my Sanitizer)
appears to be safest.
How the icon is chosen appears, judging from this message I just
quoted and from the original HTML.dropper report, to be determined
by a mixture of filename and MIME-type. It's all quite confusing.
So, instead of thinking about it... chop chop chop! :-)
--
Bjarni R. Einarsson PGP: 02764305, B7A3AB89
bre at klaki.net -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
More information about the esd-l
mailing list