[Pymilter] Obtaining email attachments for external processing
Stuart D Gathman
stuart at bmsi.com
Thu Sep 29 21:59:10 EDT 2011
On 09/29/2011 09:26 PM, Kyle Oetken wrote:
>
> When you have a moment can you provide some more detail about the
> issues that can occur when using the email mime module? Also, what
> fixes are provided with the pymilter mime module?
>
mime.Message extends email.message.Message. A quick review of comments
in mime.py reveals (forgive the childish name calling of a popular but
amazingly insecure email client - it has caused me much grief and wasted
time):
1) Handle multipart attachments that are not labelled as such in
ContentType. (This emulates Outhouse behaviour so we can remove
Outhouse viruses that hide in unlabelled multipart attachments.)
2) Remove (ignore) trailing garbage after quoted header parameters.
(Another Outhouse exploit.)
3) add ismodified() method and track modifications by attachment. (So
you know whether replacebody() is required.)
4) add a headerchange method hook so you can conveniently trigger
addheader/chgheader calls in your milter. (Doxygen drops the var
comment - have to figure out why.)
Misc features:
mime.checkattach() walks attachments. (Current python has
Message.walk() - but mine is still included for compatibility.)
mime.defang replaces files with a warning message, both attached and
within zip files (and zip within zip etc), that appear to be something
Outhouse might try to execute. It also removes <script> elements from
HTML attachments. (Which really do not belong in HTML mail.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gathman.org/pipermail/pymilter/attachments/20110929/3ada8c76/attachment.html>
More information about the Pymilter
mailing list