Re: Saving attachments with a leading dot

[Ted Zlatanov <tzz@lifelogs.com>]

On Wed, 24 Sep 2003, harder@myrealbox.com wrote:

> RFC 2183 says:
> 
> ,----
>|    Since this memo provides a way for the sender to suggest a
>|    filename, a receiving MUA must take care that the sender's
>|    suggested filename does not represent a hazard. Using UNIX as an
>|    example, some hazards would be:
>| 
>|    +    Creating startup files (e.g., ".login").

That's dangerous iff the startup file doesn't exist already, IMO.
Otherwise it's simply a special case of the third item.

>|    +    Creating or overwriting system files (e.g., "/etc/passwd").

It's impossible to catch all the system file names.  I would only
worry about it if it's a subcase of the third item.

>|    +    Overwriting any existing file.

I think with a warning, this should be allowed.  It's a very
legitimate use of attachments.

>|    +    Placing executable files into any command search path
>|         (e.g., "~/bin/more").

I think we should simply never set the executable bit on any saved
attachment, that's all.  It's a good practice generally, since a lot
of users have '.' in their path.

>|    +    Sending the file to a pipe (e.g., "| sh").

I don't think Gnus should ever allow pipes.  The file name should be
saved as is, and if the user specified a special character in the
name, then so be it.

>|    In general, the receiving MUA should not name or place the file
>|    such that it will get interpreted or executed without the user
>|    explicitly initiating the action.
>| 
>|    It is very important to note that this is not an exhaustive
>|    list; it is intended as a small set of examples only.
>|    Implementors must be alert to the potential hazards on their
>|    target systems.
> `----
> 
> Gnus doesn't prevent creating startup files.  We could:
> 
> · Strip leading dots from file names, or

Why?  This is a legitimate use.  I would warn the user instead, with
an offer to remove the dot.  Ditto for existing files.

> · Set the default value of `mm-default-directory' to somewhere
>   (where?), so attachments aren't saved in ~.

I like that default a lot, and it makes sense for most users.

> Any other nasty file names we should watch out for?

'-' and variations thereof is the most annoying one...  Most users
don't know about "rm --" and can get caught - not to mention that most
Unix utilities don't deal with file names beginning with '-'
gracefully.  Maybe we should also warn about the shell special
characters.

Ted