Incorrect size calculations on bogus messages
Carson Gaspar
carson at taltos.org
Thu Jun 25 14:29:38 EDT 2009
Ken Murchison wrote:
> I wonder if we should just reject these messages in lmtpd.
I wouldn't complain. When I was at Morgan Stanley I worked with Victor
Duchovny on a MIME canonicalizer. We discovered all _sorts_ of
"interesting" MIME and base64 issues. It is possible to create a mail
message in such a way that 6 different mail clients will see 6 different
attachments. If you realize that your antivirus is just such a client,
the security issues quickly become apparent...
And don't get me started on the ZIP format...
--
Carson
More information about the Cyrus-devel
mailing list