control characters and Util::clean_text()
Dennis Melentyev
dennis.melentyev at infopulse.com.ua
Thu Dec 22 11:17:56 UTC 2005
Wed, 21/12/2005 в 12:40 -0500, David Miller wrote:
> Max Kanat-Alexander wrote on 12/21/05 11:59 AM:
...
> > I don't particularly see a pressing reason to remove control characters
> > in most cases, anyhow -- if somebody was silly enough to put a control
> > character into a field, perhaps they intended for it to appear there.
> > (Unless, of course, displaying the control character has some security
> > implication.)
>
> There are security implications for any field which is included in email
> headers. Allowing a linefeed lets you insert arbitrary email headers.
>
> Of course, the least invasive (and probably most secure) way to fix this
> is to strip the control characters before putting things in the headers. :)
>
> Technically, you're not allowed anything that's not US-ASCII in email
> headers, but that's another bug.
... unless you wrap it in base64 or other 7-bit clear encoding. Which is
the right way to support localizations and customizations.
More information about the developers
mailing list