RE: MIME disable option? (hopefully not FAQ)

From: Tom von Alten <Tom_vonAlten_at_boi.hp.com_at_hypermail-project.org>
Date: Mon, 19 Apr 1999 10:08:14 -0600
Message-ID: <01BE8A4D.BD66D320.Tom_vonAlten_at_boi.hp.com>


Daniel Stenberg wrote:
> I am aware that the current way of storing attachments using the supplied
> name may offer ways to screw up the web server, such as your .htaccess
> example. However, instead of disabling the feature I would rather like to
> hear suggestions on how to avoid the risks.

Here are some suggestions:

  1. For ease of file management, our local modification of v1 used a subdirectory tree for attachments. If message 0123.html had attachments, for example, they'd be put into a archive/.attachments/0123/ directory. This would have the side benefit of limiting the scope of potential mischief.
  2. If it is desired to keep attachments in a flat directory with the archive, a specific set of names (.htaccess is the only one that jumps out at me, but no doubt there are others) could be excluded.
  3. The local sysadmin could touch an .htaccess file and set the permissions such that hypermail could not overwrite it. Similarly, for any other reserved names.

Item (2) might still be desireable if (1) is implemented, to protect the .attachments/NNNN/ subdirectories.

_____________ Hewlett-Packard Computer Peripherals Bristol Tom von Alten mailto:Tom_vonAlten_at_boi.hp.com

          This posting is for informational purposes only.
          It is not a statement of the Hewlett-Packard Co.
Received on Mon 19 Apr 1999 06:16:55 PM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:50 PM GMT GMT