Improve filename sanitization in MIME headers #388
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sanitize filenames to replace invalid characters before encoding them. This prevents control and special characters from causing issues in MIME headers and file systems. The `sanitizeFilename` function ensures these characters are replaced with underscores.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #388 +/- ##
==========================================
+ Coverage 96.86% 96.87% +0.01%
==========================================
Files 28 28
Lines 3128 3139 +11
==========================================
+ Hits 3030 3041 +11
Misses 68 68
Partials 30 30 ☔ View full report in Codecov by Sentry. |
This commit introduces a series of tests for the sanitizeFilename function in msgwriter_test.go. The tests cover various edge cases to ensure filenames are sanitized correctly by replacing or removing invalid characters. These additions will help maintain the integrity and reliability of filename sanitization in the codebase.
Introduced tests to validate filename sanitization for attachments, ensuring disallowed characters are handled correctly. These tests cover various scenarios, including different character sets such as Japanese, Chinese, and Cyrillic.
Removed temporary file creation and copying in msgwriter_test.go. Directly attach the source file during the test to streamline the setup process. This change reduces complexity and potential points of failure in the test code.
Adjusted the expected content-type header in msgwriter tests to account for FreeBSD by setting it to 'application/octet-stream' instead of 'text/plain'. This ensures compatibility and correct behavior across different operating systems.
The charset parameter in the Content-Type header for octet-stream files on FreeBSD was removed. This aligns the behavior with the expected MIME type format for such files. Other platforms remain unchanged.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces proper filename sanitization for attachments and embedded files. It will repace invalid characters with underscore
_characters before encoding them. This prevents control (like new lines) and special characters like backslash or quotes from causing issues in MIME headers and file systems.As a side effect this prevents newline characters from introducing a potential vulnerability by using filenames with newlines characters in it.
We also make sure that the
Content-Descriptionheader is properly encoded.