CC'ed to the list, since others might be interested to hear the
On 2001-09-19, 11:13:36 (+0100), Tim Steele wrote:
> A colleague was asking why spaces are rewritten as underscores in
> Is there something dangerous about spaces I don't know about?
If file names are passed between programs as arguments, then spaces
may cause a single file name to be interpreted as multiple
arguments. Mail clients, mail archivers or other programs may do
this. Security exploits in the past have been based on tricks like
this - I don't know of any that used email, but it's a common trick
all the same.
Like many other things the Sanitizer does, this isn't exactly high
risk. But the whole idea of the Sanitizer is to be conservative and
minimize risk as much as possible by trying to anticipate future
bugs in mail clients and future attack methods.
Since removing spaces has very, very little negative impact on the
usefullness of the message I feel it's worth doing even if the
security benifits are (at the moment) entirely theoretical.
Of course, if you disagree you can always just turn the
space-mangling off by adding white space to the file_characters
variable, like so (add \s):
file_characters = A-Za-z0-9_=\s
Or simply disable the file character mangling:
file_characters = 0
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 email@example.com -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/