Secure usage of Sup
Clone this wiki locally
We are not aware of anyone having had their Sup exploited yet, but there are some important concerns that you need to think about when setting up Sup or writing custom hooks.
When a sender attaches a file the
filename metadata are controlled by the sender. This metadata is used when opening or decoding an attachment. It is important that you do not use these fields uncritical when you include them in a command that will be executed (e.g. opening an attachment or decoding a HTML attachment using w3m). Please see Viewing-Attachments for details.