RFC2368 security patch status (Re: CVE-2006-3242 and a new mutt release)

[TAKAHASHI Tamotsu <ttakah@xxxxxxxxxxxxxxxxx>]

* Wed Jul 12 2006 Vincent Lefevre <vincent@xxxxxxxxxx>
> Also, what's the status of the rfc2368sec patch?

No progress.

I have been using rfc2368sec.5 for nearly one year
and I have not found a bug in it.
http://developer.momonga-linux.org/viewcvs/trunk/pkgs/mutt/patch-1.5.9.tamo.rfc2368sec.5?rev=6615

IIRC, Thomas prefers rfc2368sec.4:
http://www.momonga-linux.org/~tamo/patch-1.5.9.tamo.rfc2368sec.4
http://thread.gmane.org/gmane.mail.mutt.devel/7507/focus=7522


It is not an obvious bug fix, but I quote the RFC again:

| 4. Unsafe headers
|
|   The user agent interpreting a mailto URL SHOULD choose not to create
|   a message if any of the headers are considered dangerous; it may also
|   choose to create a message with only a subset of the headers given in
|   the URL.  Only the Subject, Keywords, and Body headers are believed
|   to be both safe and useful.

(http://www.faqs.org/rfcs/rfc2368.html)

-- 
tamo