user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed
From: Eric Wong <>
To: "Eric W. Biederman" <>
Subject: Re: [PATCH] t/import: test for nasty characters
Date: Sat, 4 Jul 2020 21:24:51 +0000	[thread overview]
Message-ID: <20200704212451.GB6980@dcvr> (raw)
In-Reply-To: <>

"Eric W. Biederman" <> wrote:
> Eric Wong <> writes:
> > Eric Wong <> wrote:
> >> "Eric W. Biederman" <> wrote:
> >> > -		$name =~ tr/<>//d;
> >> > +		$name =~ tr/\n\r<>$/     /d;
> >> 
> >> Is getting rid of '$' an effort to avoid double interpolation by Perl?
> >> Perl won't recursively expand variables AFAIK.
> >
> > I'm not seeing the purpose in $ being grouped with the
> > characters (test below confirms it, I think).
> What I think we should be doing is any characters that are not a valid
> part of a name (as defined by the appropriate email RFCs) should be
> dealt with.
> I am pretty certain $ isn't of those characters that is valid in a name.

*shrug*  We'd have to dig through RFCs for that, but practically
anything can be valid once base64-encoded in headers.

This part of the code is only about keeping git-fast-import
happy.  '$' is a visible character, and can be used creatively
for "fun" usernames, so I prefer we keep it.

Fwiw, I was able to send an email to a big mail provider w/o
getting flagged as spam using "Ca$h Wong" as my From: name.
mutt didn't even escape or quote it, either.

> Otherwise I suspect this will be a game of whack-a-mole as new weird
> and strange cases crop up.  Maybe I am just paranoid, but right now
> the code seems a bit too liberal in what it accepts.

I prefer we keep liberal.  MDA and spam filters can be
stricter, of course.

I can't see '$' possibly doing any damage unless somebody runs
`eval' on From: headers; but if we're defending against that,
we'd have to disallow words like "rm" and "unlink", too :)

  reply	other threads:[~2020-07-04 21:24 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-03 21:53 [PATCH] Import: Be more careful with names in email Eric W. Biederman
2020-07-03 23:30 ` Eric Wong
2020-07-04 20:25   ` [PATCH] t/import: test for nasty characters Eric Wong
2020-07-04 20:28     ` Eric W. Biederman
2020-07-04 21:24       ` Eric Wong [this message]
2020-07-05 14:55       ` Leah Neukirchen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200704212451.GB6980@dcvr \ \ \ \
    --subject='Re: [PATCH] t/import: test for nasty characters' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).