mhonarc-commits
[Top] [All Lists]

CVS: mhonarc/MHonArc/doc/faq faq.html,1.27,1.28 security.html,1.4,1.5

2003-01-01 22:46:13
Update of /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq
In directory subversions:/tmp/cvs-serv32717/doc/faq

Modified Files:
	faq.html security.html 
Log Message:
* Some doc updates and fixes.


Index: faq.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/faq.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -C2 -r1.27 -r1.28
*** faq.html	18 Dec 2002 05:55:21 -0000	1.27
--- faq.html	2 Jan 2003 05:46:01 -0000	1.28
***************
*** 164,167 ****
--- 164,168 ----
  <li><a name="mhonarc_db" href="security.html#mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
  <li><a name="htmldata" href="security.html#htmldata">Why are HTML messages a security risk?</a></li>
+ <li><a name="htmlexchow" href="security.html#htmlexchow">So how can I exclude HTML mail?</a></li>
  <li><a name="attachments" href="security.html#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
  <li><a name="suid" href="security.html#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>

Index: security.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/security.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** security.html	18 Dec 2002 05:55:21 -0000	1.4
--- security.html	2 Jan 2003 05:46:01 -0000	1.5
***************
*** 20,23 ****
--- 20,24 ----
  <li><a href="#mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
  <li><a href="#htmldata">Why are HTML messages a security risk?</a></li>
+ <li><a href="#htmlexchow">So how can I exclude HTML mail?</a></li>
  <li><a href="#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
  <li><a href="#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
***************
*** 86,90 ****
  </p>
  
! <p>Practically, all web servers provide the ability deny access
  to files.  Refer to your web server's documentation for the specifies.
  If you are using the <a href="http://httpd.apache.org/";>Apache HTTP server</a>,
--- 87,116 ----
  </p>
  
! <p>There are multiple solutions to preventing access to database
! files:
! </p>
! 
! <ul>
! <li><p>In v2.6, and later, the
! <a href="../resources/dbfileperms.html">DBFILEPERMS</a> resource
! exists to control the file permissions of the database file.  By default,
! the resource is set to a value that denies world read access.  If the
! archive files are owned by a different user ID than the web server
! process (which is normally the case), then access to database files
! will be denied.
! </p>
! <table class="note" width="100%">
! <tr valign="baseline">
! <td><strong>NOTE:</strong></td>
! <td width="100%"><p>DBFILEPERMS is applicable to Unix-based systems.
! Therefore, if using a different operating system, you may have to
! use one of the other solutions to deny access.
! </p>
! </td>
! </tr>
! </table>
! </li>
! 
! <li><p>Practically, all web servers provide the ability deny access
  to files.  Refer to your web server's documentation for the specifies.
  If you are using the <a href="http://httpd.apache.org/";>Apache HTTP server</a>,
***************
*** 106,115 ****
  the actual archive associated with database file.
  </p>
  
! <p>An alternative to a web server-based solution, you can use the
! <a href="../resources/dbfile.html">DBFILE</a> resource to place the database file in a non-web server
! accessible location by specifying a full pathname of the database file
! to use. </p>
! 
  <table class="note" width="100%">
  <tr valign="baseline">
--- 132,141 ----
  the actual archive associated with database file.
  </p>
+ </li>
  
! <li><p><a href="../resources/dbfile.html">DBFILE</a> resource can
! be set to a full pathname that is in a non-web server
! accessible location.
! </p>
  <table class="note" width="100%">
  <tr valign="baseline">
***************
*** 122,125 ****
--- 148,154 ----
  </tr>
  </table>
+ </li>
+ 
+ </ul>
  
  <!-- ??????????????????????????????????????????????????????????????? -->
***************
*** 165,170 ****
  minimize security exploits.  Check the document for full details.
  The general recommendation for the security conscience is to exclude
! any HTML message data via the <a href="../resources/mimeexcs.html">MIMEEXCS</a> resource, especially
! for publicly accessible archives.  </p>
  
  <!-- ??????????????????????????????????????????????????????????????? -->
--- 194,242 ----
  minimize security exploits.  Check the document for full details.
  The general recommendation for the security conscience is to exclude
! any HTML message data (see <a href="#htmlexchow">next question</a>).
! 
! <!-- ??????????????????????????????????????????????????????????????? -->
! <hr noshade size=1>
! <table border=0>
! <tr valign=top><td><img src="monicon.png" align="bottom" alt=""></td><td>
! <h3><b><a name="htmlexchow">So how can I exclude HTML mail?</a></b></h3>
! </td></tr></table>
! 
! <p>The quickest method is
! via the <a href="../resources/mimeexcs.html">MIMEEXCS</a> resource:
! <p>
! <pre class="code">
! <b>&lt;MIMEExcs&gt;</b>
! text/html
! text/x-html
! <b>&lt;/MIMEExcs&gt;</b>
! </pre>
! 
! <p>Unfortunately, for messages that contain only HTML data, the
! entire message body will be excluded.  Therefore, you may still
! want to show the data, but have it so the HTML markup is completely
! neutralized.  The following resource settings will neutralize the
! dangers of HTML messages without excluding message data:
! </p>
! 
! <pre class="code">
! &lt;!-- It is common for popular MUA's to provide a text/plain version
!      of the text/html version of a message body.  Therefore, we
!      use MIMEALTPREFS to choose the text/plain version if available.
!   --&gt;
! <b><a href="../resources/mimealtprefs.html">&lt;MimeAltPrefs&gt;</a></b>
! text/plain
! text/html
! <b>&lt;/MimeAltPrefs&gt;</b>
! 
! &lt;!-- For messages that do not have a text/plain alternative, we
!      treat HTML data as text/plain so the content is not lost, but
!      HTML markup is escaped and neutralized.
!   --&gt;
! <b><a href="../resources/mimefilters.html">&lt;MIMEFilters&gt;</a></b>
! text/html;   m2h_text_plain::filter; mhtxtplain.pl
! text/x-html; m2h_text_plain::filter; mhtxtplain.pl
! <b>&lt;/MIMEFilters&gt;</b>
! </pre>
  
  <!-- ??????????????????????????????????????????????????????????????? -->

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV