Update of /cvsroot/mhonarc/mharc/cgi-bin
In directory subversions:/tmp/cvs-serv6214/cgi-bin
Modified Files:
extract-mesg.cgi.in.dist
Log Message:
* cgi-bin/extract-mesg.cgi.in.dist:
. Changed returned media-type from message/rfc822 to text/plain.
message/rfc822 is nice since some browsers can render it directly,
but it does open potential XSS HTML email attacks.
IMPORTANT NOTE: User upgrading are encouraged to delete
"cgi-bin/extract-mesg.cgi.in" and run 'make
configure' after extracting this release. If you
really want the message/rfc822 behavior, you can
edit "cgi-bin/extract-mesg.cgi.in" and redefine
the $message_media_type variable.
* etc/apache.conf.in.dist:
. Security related comments added. Users are encourage to read
if using etc/apache.conf.
Index: extract-mesg.cgi.in.dist
===================================================================
RCS file: /cvsroot/mhonarc/mharc/cgi-bin/extract-mesg.cgi.in.dist,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** extract-mesg.cgi.in.dist 23 Jul 2002 04:00:22 -0000 1.1
--- extract-mesg.cgi.in.dist 31 Jul 2002 04:53:21 -0000 1.2
***************
*** 39,42 ****
--- 39,48 ----
my $mbox_archive_root = '@@MBOX_DIR@@';
+ ## Message media-type: This is the media-type this script will return
+ ## to the client when serving up the raw mail message. Note, some
+ ## browsers actually support message/rfc822, but this could potentially
+ ## cause XSS HTML email attacks, so use with caution.
+ my $message_media_type = 'text/plain';
+
#############################################################################
## END: Config Section
***************
*** 141,145 ****
}
! print_content_type('message/rfc822');
print STDOUT $cache;
while (<MBOX>) {
--- 147,151 ----
}
! print_content_type($message_media_type);
print STDOUT $cache;
while (<MBOX>) {
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV