Describe the bug
Attachment filename from email headers (untrusted) has no length validation. Extremely long filenames could cause filesystem errors or UI issues.
To reproduce
Related to #725 (path traversal). While that issue covers directory traversal, this covers length validation.
main.go:2603 uses origName directly without length check.
Expected behavior
Limit filename length to reasonable maximum (e.g., 255 bytes for most filesystems).
Additional context
Suggested fix:
func sanitizeFilename(name string) string {
name = filepath.Base(name)
name = strings.ReplaceAll(name, "/", "_")
name = strings.ReplaceAll(name, "\\", "_")
// Limit length
if len(name) > 200 {
ext := filepath.Ext(name)
name = name[:200-len(ext)] + ext
}
if name == "" || name == "." {
name = "attachment"
}
return name
}OS
All platforms
Describe the bug
Attachment filename from email headers (untrusted) has no length validation. Extremely long filenames could cause filesystem errors or UI issues.
To reproduce
Related to #725 (path traversal). While that issue covers directory traversal, this covers length validation.
main.go:2603 uses origName directly without length check.
Expected behavior
Limit filename length to reasonable maximum (e.g., 255 bytes for most filesystems).
Additional context
Suggested fix:
OS
All platforms