control characters and Util::clean_text()

[Mick Weiss]

David Miller wrote:

> ...

> There are security implications for any field which is included in 
> email headers.  Allowing a linefeed lets you insert arbitrary email 
> headers.
>
> Of course, the least invasive (and probably most secure) way to fix 
> this is to strip the control characters before putting things in the 
> headers. :)
>
> Technically, you're not allowed anything that's not US-ASCII in email 
> headers, but that's another bug.


Didn't this recently change? I believe umlauts and such characters are 
(since very very recently) allowed.

- Mick