Re: [hypermail] Hypermail security < test <here> >

From: Peter C. McCluskey <pcm_at_rahul.net_at_hypermail-project.org>
Date: Thu, 15 Nov 2001 14:27:37 -0800 (PST)
Message-Id: <20011115222737.853C01DBC_at_foxtrot.rahul.net>

 franklin.lists_at_qdefense.com (Franklin DeMatto) writes:
>As for the cross site scripting, I see no solution other then an option to
>disallow all attachments and MIME types other than text/plain. I did not
>see this option in the docs - I'll work on adding a patch. If someone

 I think you can accomplish what you want by using this option:

 text_types = *

which is designed to cause all MIME types to be treated as text/plain. I've done a few tests, and haven't found a way to get arbitrary html tags past it, but I don't understand that part of the code well enough to offer anything resembling a guarantee.  The result is ugly enough in many cases that I would be reluctant to make it the default. It appears that the main change that is needed is conspicuous documentation of the risks of using hypermail in combination with SSI. I will make some changes along those lines soon.



Peter McCluskey | Free Dmitry Sklyarov! http://www.freesklyarov.org/ http://www.rahul.net/pcm | Received on Fri 16 Nov 2001 12:34:48 AM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:53 PM GMT GMT