[Esa-l] HTML.dropper (fwd)

Bjarni R. Einarsson bre at klaki.net
Fri Jan 19 08:35:01 PST 2001

On 2001-01-18, 19:52:10 (-0800), John D. Hardin wrote:
> Hmm. If we're going to modify the subject header to sanitize this, I's
> say simply collapse all runs of blanks. That, or look for a long
> subject header ending with \.[a-z0-9][a-z0-9][a-z0-9] and defang that.

I agree that that is also a good strategy.  Bugtraq had more info on 
this today, which sorta helps decided which strategy is best:

On 2001-01-19, 09:19:45 (-0000), Shane Hird wrote:
> It seems OE is cutting the file name short to a 
> specified length when trying to open it (consequently 
> chopping off the real extension), but not cutting it 
> short when determining which icon to use. (Note that 
> the icon choice doesn't seem to be affected like this 
> with the subject overflow problem.)

This implies two things:

 - Outlook will use the Subject as a file name, if no file name
   is provided in the MIME headers.  So we have to add the Subject:
   line to our list of fields-to-mangle.  *sigh*  I'm tempted to do 
   so conditionally - only when filename="" tags are missing from 
   the MIME headers, since long subject lines are very useful.

 - Truncating file names or appending stuff to them may not always
   work.  Chopping stuff off the front (like I do in my Sanitizer)
   appears to be safest.

How the icon is chosen appears, judging from this message I just
quoted and from the original HTML.dropper report, to be determined
by a mixture of filename and MIME-type.  It's all quite confusing.

So, instead of thinking about it... chop chop chop!  :-)

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list