On Mon, Jun 02, 2014 at 01:15:37PM +0200, Alessandro Vesely wrote:
> and even a dubious:
>
> Content-Disposition: attachment;
> filename*0*="''attached%2E";
> filename*1*="%62";
> filename*2=at
That's not dubious, that's RFC 2231. The MIME normalizer I wrote
some years back, (sorry not publically available) was able to
recognize restricted file extensions even in this case.
Sufficiently advanced MIME encodings require more than than a
regular expression matcher to recognize. The attachment filtering
in header_checks is a best-effort junk reduction technique, not a
robust defense.
--
Viktor.
