On Thu, Apr 29, 2021 at 09:25:39PM +0200, Vincent Lefevre wrote:
Concerning the ASCII characters, note that "{" and "}" may have a
special meaning for the shell.
And ":" may have a special interpretation in some applications (e.g. scp, but maybe applications that support URL arguments). I also wonder whether "%" should be forbidden, unless you know that it comes from percent-encoding.
Thanks Vincent. I'm reluctant to make changes to the sanitizer without reports of issues. The Mutt code wraps the expandos in single quotes, and launches it via /bin/sh. So, I'm not really clear about the purpose of the sanitizer, unless it was to help protect against misuse by the mailcap program invoked.
But I'm also not ready to remove the sanitizer either, because there isn't any historical justification that I can find, and I'm absolutely *not* a security person myself... :-/
Note also that "-" should not be used as the first character of a filename, otherwise it could be confused with an option.
Fortunately, the filename is appended to the tmpdir, so a leading hyphen should be okay.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
