control characters and Util::clean_text()

Dennis Melentyev dennis.melentyev at infopulse.com.ua
Thu Dec 22 11:17:56 UTC 2005


Wed, 21/12/2005 в 12:40 -0500, David Miller wrote:
> Max Kanat-Alexander wrote on 12/21/05 11:59 AM:
...
> > 	I don't particularly see a pressing reason to remove control characters
> > in most cases, anyhow -- if somebody was silly enough to put a control
> > character into a field, perhaps they intended for it to appear there.
> > (Unless, of course, displaying the control character has some security
> > implication.)
> 
> There are security implications for any field which is included in email 
> headers.  Allowing a linefeed lets you insert arbitrary email headers.
> 
> Of course, the least invasive (and probably most secure) way to fix this 
> is to strip the control characters before putting things in the headers. :)
> 
> Technically, you're not allowed anything that's not US-ASCII in email 
> headers, but that's another bug.
... unless you wrap it in base64 or other 7-bit clear encoding. Which is
the right way to support localizations and customizations.




More information about the developers mailing list