From c1285a0fe7cb76406ff6c49e2e4dfd3365b54c4d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 28 Jul 2017 09:55:31 +0200
Subject: [PATCH] Remove non-printable characters from filenames on
 download/display (#5880)

---
 CHANGELOG                   | 1 +
 program/steps/mail/func.inc | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 789425377..674e57948 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
 - Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
 - Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
 - Managesieve: Fix AM/PM suffix in vacation time selectors
+- Remove non-printable characters from filenames on download/display (#5880)
 - Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
 - Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
 - Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index e09ba6365..de38774e2 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -2063,7 +2063,7 @@ function rcmail_attachment_name($attachment, $display = false)
     global $RCMAIL;
 
     $filename = (string) $attachment->filename;
-    $filename = str_replace(array("\r", "\n"), '', $filename);
+    $filename = preg_replace('/[\x00-\x1F\x7F]/', '', $filename);
 
     if ($filename === '') {
         if ($attachment->mimetype == 'text/html') {