[Top] [All Lists]

Re: Sieve notify options and escaping

2007-04-10 09:48:55

On Mon, 2007-04-09 at 20:20 +0100, Alexey Melnikov wrote:
Aaron Stone wrote:
So a user can supply a variable that expands into valid options or url
syntax. I do think we have to prevent this.

New ":urlencode" modifier to the set action?

what document should add such a modifier?

I'd like to note that it is possible to do this securely, although it's
not convenient.  e.g.

   if string :matches "${var}" "*&*" {
       set "var" "${1}%26${2}";

no, scratch that, we don't have recursion or other looping, so it won't
work for values containing two ampersands.  it would be tempting to add
a replace action:

  replace "var" "&" "%26";

we could allow MATCH-TYPE for more advanced replacements, e.g.

  replace :matches "var" "\\?" "${1}";

would replace a backslash followed by an arbitrary character by that
arbitrary character.

I don't have a real use case for this, so please feel free to disregard
the suggestion.

getting back to the issue at hand, I think it would be better to extend
the size of the notify namespace.  we could have

${notify.quote.subject}  (turn «hey "you"» into «"hey \"you\""»)
${notify.urlencode.subject}  (turn above string into «hey%20"you"»)
${notify.plain.subject}  (verbatim value)

we could also turn the order around, e.g.


which allows us to choose one of them as a "default" when the user
writes just ${notify.subject}.

Kjetil T.

<Prev in Thread] Current Thread [Next in Thread>