[Mailman-Developers] Yet another weird-a$$ potential attack
problem...
John W Baxter
jwblist@olympus.net
Thu, 4 Apr 2002 22:16:07 -0800
At 0:37 -0500 4/5/2002, Dale Newfield wrote:
>So instead of sending the token in the Subject: line of the message,
>it's sent in the subject line in a mailto link.
>(like so: <mailto:mylist-admin@list.host?subject=TOKEN>)
>
>I still use pine, and even it is able to "do the right thing"(tm) with
>that...
It's probably too early to rely on the ?subject=blah extension to mailto.
I believe all the mail clients that I have "attached" to mailto understand
about the ?subject=... extension to mailto. (It's hard to be sure...more
often than not, I don't use the mailto link but copy the address, instead,
and paste it into the mail program which has the account I want to send
from.)
But what about all those people who haven't upgraded anything since they
took the machine out of the box in 1997? Does that era Outlook Express
understand (if they haven't upgraded anything, they're using Outlook
Express)? (A 1997 Mac would be using Claris Emailer, which I don't think
does understand the subject extension to mailto. But the number of those
is small.)
These are the people most likely to be troubled by following the
instructions ("click this thing") and having it not work.
--John
--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA