Re: [hypermail] Disallow all attachments, but bug/problem

At 04:42 PM 03/18/02 +0100, Daniel Stenberg wrote:
>On Sun, 17 Mar 2002, Ron Pero wrote:
>
>> In my hmrc file, when I have this line, to disallow all attachments:
>> ignore_types = *
>> the body of the email did not appear in the html page. But there is only
>> one message in the mailbox, and it has just one line of text in the body,
>> and no attachment.
>>
>> But when I comment out that config line:
>> #ignore_types = *
>> And uncommented this line:
>> ignore_types = application/x-msdownload
>>
>> Now when I run hypermail, the body of the email DOES appear in the html
>> page. Just fine.
>>
>> Seems to be a problem.
>>
>> But I do want to ignore ALL attachments. I don't need them in the archives,
>> and it would prevent any security problem involving attachments.
>>
>> What do you think?
>
>I was afraid this was gonna happen, and the reason is quite simple too.
>
>There's no "text part" and "attachment part" in the mail. They're all just a
>series of parts, each one with its own content-type.
>
>Ignoring all types will make it ignore all parts, including the text parts
>you most likely didn't want to ignore...
>
>A proper solution would probably be to support an inverted option, like in:
>
> ignore_types = *
> allow_types = text/plain
>
>... we would just need to define (and document) in which order the types are
>tested.
>
>--
> Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
> ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

Interesting. But for now, it looks like the following would prevent security problems associated with attachments, since, IIUC, if any attachments come along, the only ones that will be stored are those of mime type plain. Which should be fairly secure...

#$NONPLAIN - ignore all types not treated as text/plain, and all $BINARY types.
#Note: the behavior of these may be affected by the inlinehtml option. ignore_types = $NONPLAIN

Ron Received on Mon 18 Mar 2002 09:40:26 PM GMT