Re: RFC2368 security considerations

To: mutt-dev@xxxxxxxx
Subject: Re: RFC2368 security considerations
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
Date: Sun, 12 Jun 2005 18:46:44 +0200
In-reply-to: <20050610090018.GA5066@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Mail-followup-to: mutt-dev@xxxxxxxx
References: <20050610090018.GA5066@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.9i

On 2005-06-10 18:00:18 +0900, TAKAHASHI Tamotsu wrote:

>   I told TLR this issue, and he didn't think this was a serious
> vulnerability. I also don't. So I am telling you this publicly.

Indeed.

Concerning your patch, I don't think it will help much, as users
chronically disregard warning messages.

One thing we could do is to restrict the headers accepted from a
mailto URL to those shown on the compose screen, maybe even minus
From.  Everything else could either be disregarded, or maybe have
"x-mailto-url" prepended to it.

Thoughts, anyone?
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.

Follow-Ups:
- Re: RFC2368 security considerations
  - From: Vincent Lefevre
- Re: RFC2368 security considerations
  - From: TAKAHASHI Tamotsu

References:
- RFC2368 security considerations
  - From: TAKAHASHI Tamotsu

Prev by Date: RFC2368 security considerations
Next by Date: Re: For 1.5.10: cursor patch
Previous by thread: RFC2368 security considerations
Next by thread: Re: RFC2368 security considerations
Index(es):
- Date
- Thread