[Mailman-Users] digest mode links
Mark Sapiro
mark at msapiro.net
Sun Feb 28 23:59:05 CET 2010
LuKreme wrote:
>On 28-Feb-10 11:03, Mark Sapiro wrote:
>> SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION = True
>
>Would that be considered unsafe?
>
>I mean, it SEEMS unsafe, but is it really?
It could be. Suppose I send a message to your list with an attached
evil_app.exe file that I call Content-Type: text/plain without a
charset. This file now gets scrubbed stored on your server and is
accessable in your archives as a .exe file, so if someone retrieves it
and tries to open it, it will open as an executable.
If it were stored with an appropriate extension for its MIME type,
attempting to open it would probably try to open it with a text viewer
and just display garbage.
On the other hand, if you don't scrub_nondigest, it was already
delivered to your list's message and MIME digest members with it's
original file name and extension, and this has no effect on that, and
that's probably the more serious risk.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list