Re: RFC2368 security considerations
On 2005-06-10 18:00:18 +0900, TAKAHASHI Tamotsu wrote:
> I told TLR this issue, and he didn't think this was a serious
> vulnerability. I also don't. So I am telling you this publicly.
Indeed.
Concerning your patch, I don't think it will help much, as users
chronically disregard warning messages.
One thing we could do is to restrict the headers accepted from a
mailto URL to those shown on the compose screen, maybe even minus
From. Everything else could either be disregarded, or maybe have
"x-mailto-url" prepended to it.
Thoughts, anyone?
--
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.