sup

A curses threads-with-tags style email client

sup.git

git clone https://supmua.dev/git/sup/

test/fixtures/malicious-attachment-names.eml (2088B) - raw

      1 From: Matthieu Rakotojaona <matthieu.rakotojaona@gmail.com>
      2 To: reply+0007a7cb7174d1d188fcd420fce83e0f68fe03fc7416cdae92cf0000000110ce4efd92a169ce033d18e1 <reply+0007a7cb7174d1d188fcd420fce83e0f68fe03fc7416cdae92cf0000000110ce4efd92a169ce033d18e1@reply.github.com>
      3 Subject: Re: [sup] Attachment saving and special characters in filenames (#378)
      4 In-reply-to: <sup-heliotrope/sup/issues/378@github.com>
      5 References: <sup-heliotrope/sup/issues/378@github.com>
      6 X-pgp-key: http://otokar.looc2011.eu/static/matthieu.rakotojaona.asc
      7 Date: Wed, 14 Jan 2015 22:13:37 +0100
      8 Message-Id: <1421269972-sup-5245@kpad>
      9 User-Agent: Sup/git
     10 Content-Transfer-Encoding: 8bit
     11 MIME-Version: 1.0
     12 Content-Type: multipart/mixed; boundary="=-1421270017-526778-1064-1628-1-="
     13 
     14 
     15 --=-1421270017-526778-1064-1628-1-=
     16 Content-Type: text/plain; charset=UTF-8
     17 Content-Disposition: inline
     18 
     19 Excerpts from Felix Kaiser's message of 2015-01-14 16:36:29 +0100:
     20 > When saving attachments, sup should replace special characters when suggesting a filename to save the attachment to.
     21 >
     22 > I just got an attachment with a name like "foo/2.pdf". sup suggests saving it to /home/fxkr/foo/2.pdf (and fails to save it, of course, if /home/fxkr/foo isn't a directory).
     23 >
     24 > I haven't tested the "Save All" feature, but I hope nothing bad happens when there's an attachment called "../../../../../../../home/fxkr/.bashrc" ;-)
     25 >
     26 > ---
     27 > Reply to this email directly or view it on GitHub:
     28 > https://github.com/sup-heliotrope/sup/issues/378
     29 
     30 For tests, here's an email with an attachment filename set to
     31 sup/.travis.yml (really, this time)
     32 
     33 --
     34 Matthieu Rakotojaona
     35 
     36 --=-1421270017-526778-1064-1628-1-=
     37 Content-Disposition: attachment; filename="sup/.travis.yml"
     38 Content-Type: text/x-yaml; name="sup/.travis.yml"
     39 Content-Transfer-Encoding: 8bit
     40 
     41 language: ruby
     42 
     43 rvm:
     44   - 2.1.1
     45   - 2.0.0
     46   - 1.9.3
     47 
     48 before_install:
     49   - sudo apt-get update -qq
     50   - sudo apt-get install -qq uuid-dev uuid libncursesw5-dev libncursesw5 gnupg2 pandoc
     51   - git submodule update --init --recursive
     52 
     53 script: bundle exec rake travis
     54 
     55 --=-1421270017-526778-1064-1628-1-=--