From: Paul Haldane (Paul.Haldane@newcastle.ac.uk)
Date: Tue Apr 20 1999 - 09:43:35 CDT
On Tue, 20 Apr 1999, Tom von Alten wrote:
...
> I thought of a simpler approach. What if we just prefix user names with
> something innocuous? Add on "x-" or some such, so
> .htaccess -> xhm-.htaccess
> for example.
That sounds attractive to me. I was just looking back at some work I did
on Hypermail 1 to deal with attachments and found that I was always
storing them as att-<msgno>-<attachmentno>
But this was probably laziness rather than concern over security.
Tom's suggestion of a prefix seems sensible as we do want to preserve any
given extension. An alternative would be defining a set of acceptable
types of file name - not starting with a '.', only alphanumerics and
'safe' other characters in the name - and map any other given file names
into that set.
Paul
-- Paul Haldane