Re: Sanitizer

From: Bjarni R. Einarsson (
Date: Wed 19 Sep 2001 - 10:29:08 UTC

  • Next message: ׸ǻ: "[ȫ]ǻ Դϴ"

    CC'ed to the list, since others might be interested to hear the

    On 2001-09-19, 11:13:36 (+0100), Tim Steele wrote:
    > A colleague was asking why spaces are rewritten as underscores in
    > filenames.
    > Is there something dangerous about spaces I don't know about?

    If file names are passed between programs as arguments, then spaces
    may cause a single file name to be interpreted as multiple
    arguments. Mail clients, mail archivers or other programs may do
    this. Security exploits in the past have been based on tricks like
    this - I don't know of any that used email, but it's a common trick
    all the same.

    Like many other things the Sanitizer does, this isn't exactly high
    risk. But the whole idea of the Sanitizer is to be conservative and
    minimize risk as much as possible by trying to anticipate future
    bugs in mail clients and future attack methods.

    Since removing spaces has very, very little negative impact on the
    usefullness of the message I feel it's worth doing even if the
    security benifits are (at the moment) entirely theoretical.

    Of course, if you disagree you can always just turn the
    space-mangling off by adding white space to the file_characters
    variable, like so (add \s):

      file_characters = A-Za-z0-9_=\s

    Or simply disable the file character mangling:

      file_characters = 0

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer:

    hosted by