Re: RFC2368 security considerations

To: mutt-dev@xxxxxxxx
Subject: Re: RFC2368 security considerations
From: Vincent Lefevre <vincent@xxxxxxxxxx>
Date: Mon, 13 Jun 2005 17:03:51 +0200
In-reply-to: <20050612164644.GK17359@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?body=unsubscribe>
Mail-followup-to: mutt-dev@xxxxxxxx
References: <20050610090018.GA5066@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20050612164644.GK17359@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.9-vl-20050611i

On 2005-06-12 18:46:44 +0200, Thomas Roessler wrote:
> One thing we could do is to restrict the headers accepted from a
> mailto URL to those shown on the compose screen, maybe even minus
> From.  Everything else could either be disregarded, or maybe have
> "x-mailto-url" prepended to it.

An x-mailto-url header would be a security hole as such a URL could
be a private one (i.e. on a private page, such as on an intranet or
after authentication) and contain sensitive information (e.g. Bcc
addresses).

-- 
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA

Follow-Ups:
- Re: RFC2368 security considerations
  - From: Thomas Roessler

References:
- RFC2368 security considerations
  - From: TAKAHASHI Tamotsu
- Re: RFC2368 security considerations
  - From: Thomas Roessler

Prev by Date: [2005-06-13] CVS repository changes
Next by Date: Re: RFC2368 security considerations
Previous by thread: Re: RFC2368 security considerations
Next by thread: Re: RFC2368 security considerations
Index(es):
- Date
- Thread