<<< Date Index >>>     <<< Thread Index >>>

Re: RFC2368 security considerations



On 2005-06-10 18:00:18 +0900, TAKAHASHI Tamotsu wrote:

>   I told TLR this issue, and he didn't think this was a serious
> vulnerability. I also don't. So I am telling you this publicly.

Indeed.

Concerning your patch, I don't think it will help much, as users
chronically disregard warning messages.

One thing we could do is to restrict the headers accepted from a
mailto URL to those shown on the compose screen, maybe even minus
From.  Everything else could either be disregarded, or maybe have
"x-mailto-url" prepended to it.

Thoughts, anyone?
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.