From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=3.0 tests=AWL,BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 1BF131F5AE for ; Sun, 5 Jul 2020 14:55:52 +0000 (UTC) Received: by mail-wr1-f66.google.com with SMTP id z13so38012633wrw.5 for ; Sun, 05 Jul 2020 07:55:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=E/WVTehcRkXw1rrFDSvDP6/MRaa8mf4qoSk/9N44cN0=; b=VjyxuNG3xdpPfypCmcKOFdnMs8xlq6s61PxokknL9te2mTCWhQ0icjjQ9EYlC2psBj XZs6B4pv/fJuknS0GOY79limcH1H1XFkKoyxzgTdoFX8/uI5/OqKtGK0k6x+dehagWBe rT2mn10VohC2u2VCxLFb1dORM8aurAUgUbH1rSVIQQX4kpaMWLqXF/NkrhcBnQrOdTwf +G2gzSN0BnU96B808kxR1pZNkLNNBjsGXtkGaX48Eti209BQmPLO4YfjY5IK9k5znA5L jo9dC/liARrDaXnjb+mBoTULDpbYcFjiVXyQ9bycmaiAmme2ykDOb37/PuVcFhTC3eSg vXRw== X-Gm-Message-State: AOAM531Un3GeFQKM68MWYL9vu5ss098mKAtITQtQ3c454AdIyu92epys ze8X0+VfFXveOlRqdlouuKg= X-Google-Smtp-Source: ABdhPJzMyAUp3A5zRRy7XrTlnAVWGrkVvPBGHi/C3l3gbyss/FuA69t9QI1M9xYuDhVYKbgi7mHErA== X-Received: by 2002:adf:b6a4:: with SMTP id j36mr45358624wre.260.1593960950558; Sun, 05 Jul 2020 07:55:50 -0700 (PDT) Received: from rhea.home.vuxu.org ([2001:470:6d:72e:468a:bdad:15be:dff3]) by smtp.gmail.com with ESMTPSA id j6sm20470343wma.25.2020.07.05.07.55.47 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Sun, 05 Jul 2020 07:55:49 -0700 (PDT) Received: from localhost (rhea.home.vuxu.org [local]) by rhea.home.vuxu.org (OpenSMTPD) with ESMTPA id bcd1eea4; Sun, 5 Jul 2020 14:55:46 +0000 (UTC) From: Leah Neukirchen To: ebiederm@xmission.com (Eric W. Biederman) Cc: Eric Wong , meta@public-inbox.org Subject: Re: [PATCH] t/import: test for nasty characters References: <87imf4qn87.fsf@x220.int.ebiederm.org> <20200703233032.GA5810@dcvr> <20200704202525.GA19556@dcvr> <87a70fnhxp.fsf@x220.int.ebiederm.org> Date: Sun, 05 Jul 2020 16:55:46 +0200 In-Reply-To: <87a70fnhxp.fsf@x220.int.ebiederm.org> (Eric W. Biederman's message of "Sat, 04 Jul 2020 15:28:34 -0500") Message-ID: <87sge6ui31.fsf@vuxu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain List-Id: ebiederm@xmission.com (Eric W. Biederman) writes: > Eric Wong writes: > >> Eric Wong wrote: >>> "Eric W. Biederman" wrote: >>> > - $name =~ tr/<>//d; >>> > + $name =~ tr/\n\r<>$/ /d; >>> >>> Is getting rid of '$' an effort to avoid double interpolation by Perl? >>> Perl won't recursively expand variables AFAIK. >> >> I'm not seeing the purpose in $ being grouped with the >> characters (test below confirms it, I think). > > What I think we should be doing is any characters that are not a valid > part of a name (as defined by the appropriate email RFCs) should be > dealt with. > > I am pretty certain $ isn't of those characters that is valid in a name. These characters are allowed as names without quoting, RFC 2822 3.2.4: atext = ALPHA / DIGIT / ; Any character except controls, "!" / "#" / ; SP, and specials. "$" / "%" / ; Used for atoms "&" / "'" / "*" / "+" / "-" / "/" / "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~" In particular, "." is not included. hth, -- Leah Neukirchen https://leahneukirchen.org/