aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Mailman/Handlers/Scrubber.py11
1 files changed, 7 insertions, 4 deletions
diff --git a/Mailman/Handlers/Scrubber.py b/Mailman/Handlers/Scrubber.py
index 1ae849b1..de02fd45 100644
--- a/Mailman/Handlers/Scrubber.py
+++ b/Mailman/Handlers/Scrubber.py
@@ -373,7 +373,9 @@ Url : %(url)s
partcharset = str(partcharset)
else:
partcharset = part.get_content_charset()
- if partcharset and partcharset <> charset:
+ # If the part is Content-Type: message/delivery-status, payload is
+ # None so test here.
+ if t and partcharset and partcharset <> charset:
try:
t = unicode(t, partcharset, 'replace')
except (UnicodeError, LookupError, ValueError, AssertionError):
@@ -385,7 +387,7 @@ Url : %(url)s
try:
# Should use HTML-Escape, or try generalizing to UTF-8
t = t.encode(charset, 'replace')
- except (UnicodeError, LookupError, ValueError):
+ except (UnicodeError, LookupError, ValueError, AssertionError):
t = t.encode(lcset, 'replace')
# Separation is useful
if isinstance(t, StringType):
@@ -436,7 +438,7 @@ def save_attachment(mlist, msg, dir, filter_html=True):
# i18n file name is encoded
lcset = Utils.GetCharSet(mlist.preferred_language)
filename = Utils.oneline(msg.get_filename(''), lcset)
- fnext = os.path.splitext(filename)[1]
+ filename, fnext = os.path.splitext(filename)
# For safety, we should confirm this is valid ext for content-type
# but we can use fnext if we introduce fnext filtering
if mm_cfg.SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION:
@@ -444,6 +446,8 @@ def save_attachment(mlist, msg, dir, filter_html=True):
ext = fnext or guess_extension(ctype, fnext)
else:
ext = guess_extension(ctype, fnext)
+ # Allow only alphanumerics, dash, underscore, and dot
+ ext = sre.sub('', ext)
if not ext:
# We don't know what it is, so assume it's just a shapeless
# application/octet-stream, unless the Content-Type: is
@@ -461,7 +465,6 @@ def save_attachment(mlist, msg, dir, filter_html=True):
try:
# Now base the filename on what's in the attachment, uniquifying it if
# necessary.
- filename = msg.get_filename()
if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME:
filebase = 'attachment'
else: