attachment_outer_name and attachment_email_name

Fri May 6 19:19:42 CEST 2011

Andreas,

> > I get errors when setting using the placeholder %n:
> > All other placeholders (%P,%b,%m,%i) work fine.

> Thanks. As a quick fix please try:
> -            : $1 eq 'n' ? $msginfo->log_id
> +            : $1 eq 'n' ? untaint($msginfo->log_id)
> I'll try to figure out later how this happens

The above should be alright as a temporary measure, but
perhaps the following patch (against 2.7.0-pre15) is cleaner:

--- amavisd.orig	2011-04-13 02:29:25.000000000 +0200
+++ amavisd	2011-05-06 19:16:02.493477054 +0200
@@ -17562,7 +17562,7 @@
     # RFC 4648 base64:       62 +, 63 /
     # RFC 4648 base64url:    62 -, 63 _
-    $mail_id =~ m{^ [A-Za-z0-9] [A-Za-z0-9/_+-]* ={0,2} \z}xs
+    $mail_id =~ m{^ [A-Za-z0-9] [A-Za-z0-9_+-]* ={0,2} \z}xs
       or die "Invalid mail_id '$mail_id'";
-    $msginfo->mail_id($mail_id);
+    $msginfo->mail_id(untaint($mail_id));
     if (!exists($attr_ref->{'secret_id'}) || $attr_ref->{'secret_id'} eq '') {
       die "Secret_id is required, but missing"  if c('auth_required_release');


Thanks for the problem report.

  Mark
