Re: [hypermail] Does anyone use mail.c from kent landfield on 2003-02-12 (Hypermail Development List)

From: kent landfield <kent_at_hypermail.org_at_hypermail-project.org>
Date: Wed, 12 Feb 2003 14:04:29 -0600 (CST)
Message-Id: <20030212200429.822A1270449_at_dev.hypermail.org>

Peter C. McCluskey writes:
>
> kent_at_hypermail.org (kent landfield) writes:
> >Peter C. McCluskey writes:
> >> b) there's a slight chance that there are people using it who would install
> >> the disabled version if it's built by default, but if it's not built would
> >> continue using the old version without realizing the risks.
> >
> >Another good point... But, currently it is not installed. I didn't change
> >that so I'm not sure how long it has been that way. I did check in the
> >hypermail-2.0.0 version and it was not installed then. In this case, people
> >are not using anywhere near the current version today. That was one of the
> >reasons I considered removing it entirely.
>
> Even if "make install" never did anything with it, my point remains roughly
> unchanged. People may look for whatever binaries get produced and manually
> copy them to the appropriate place.

I'm not sure I agree. I don't blindly copy any olde executable into place without understanding what I'm putting there. Those days are gone. Too many security issues (like the one we are discussing). This application has no real purpose anymore and can be substituted with a href="mailto:..." instead of an open, insecure mail-relay.

> If you're worried about maintaining the code in mail.c, I'd suggest a
> simple way to eliminate the need for further maintainence would be to
> reduce the program to a main that just contains a printf.

Then what's the difference of simply putting it in a README with a notice that comes up during the latter part of the build that states

'Support for the insecure cgi-bin/mail program has been discontinued.
'Please check and make sure you are not running an older version of it.
'If you are, spammers could be using your site as a relay and you
'would not know. Remove any hypermail supplied cgi-bin/mail form utility.
'from your cgi-bin directories or other installed locations on your system.



> >We could add a section to the 'make install' that ran a script that checked

> >to see if the old 'cgi-bin/mail' program exists and warn the user of the
> >problems... Just a thought...
>
> Check where? All the user's web server cgi directories?

:) Where it would have been installed initially as dictated by configure. Granted its not perfect. It was just an idea...

-- 
Kent Landfield             |  HYPERMAIL: http://www.hypermail.org/ 
Email: kent_at_hypermail.org  |  RFCS: http://www.faqs.org/rfcs/

Received on Wed 12 Feb 2003 10:04:29 PM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:54 PM GMT GMT