--- squirrelmail.stable/squirrelmail/class/deliver/Deliver.class.php	2017-01-27 21:31:33.000000000 +0100
+++ htdocs/class/deliver/Deliver.class.php	2018-03-14 17:21:10.320000000 +0100
@@ -281,6 +281,7 @@
                 global $username, $attachment_dir;
                 $hashed_attachment_dir = getHashedDir($username, $attachment_dir);
                 $filename = $message->att_local_name;
+		if(!ctype_alnum($filename)) die();
 
                 // inspect attached file for lines longer than allowed by RFC,
                 // in which case we'll be using base64 encoding (so we can split
@@ -339,6 +340,7 @@
                 global $username, $attachment_dir;
                 $hashed_attachment_dir = getHashedDir($username, $attachment_dir);
                 $filename = $message->att_local_name;
+		if(!ctype_alnum($filename)) die();
                 $file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb');
                 
                 while ($tmp = fread($file, 570)) {