From 0ae61813817c38450bb7b03ca27cfa569ede35c8 Mon Sep 17 00:00:00 2001
From: David Flatz
Date: Mon, 28 Oct 2019 16:48:03 +0100
Subject: escape attachment name since that string is user-provided and might
 contain non-ascii characters

---
 it_mail.class | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/it_mail.class b/it_mail.class
index 4033c06..3e56a08 100644
--- a/it_mail.class
+++ b/it_mail.class
@@ -276,7 +276,8 @@ function send($p = array())
 
 		foreach ($this->attachments as $attachment)
 		{
-			$text .= "\n--$boundary\nContent-Type: {$attachment['mimetype']}; name=\"{$attachment['name']}\"\nContent-Transfer-Encoding: base64\nContent-ID: <{$attachment['cid']}>\nContent-Disposition: {$attachment['disposition']}; filename=\"{$attachment['name']}\"\n\n";
+			$name = $this->header_escape($attachment['name']);
+			$text .= "\n--$boundary\nContent-Type: {$attachment['mimetype']}; name=\"$name\"\nContent-Transfer-Encoding: base64\nContent-ID: <{$attachment['cid']}>\nContent-Disposition: {$attachment['disposition']}; filename=\"$name\"\n\n";
 			$text .= chunk_split(base64_encode($attachment['data']));
 		}
 
-- 
cgit v1.2.3