Update of /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq
In directory subversions:/tmp/cvs-serv32717/doc/faq
Modified Files:
faq.html security.html
Log Message:
* Some doc updates and fixes.
Index: faq.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/faq.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -C2 -r1.27 -r1.28
*** faq.html 18 Dec 2002 05:55:21 -0000 1.27
--- faq.html 2 Jan 2003 05:46:01 -0000 1.28
***************
*** 164,167 ****
--- 164,168 ----
<li><a name="mhonarc_db" href="security.html#mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
<li><a name="htmldata" href="security.html#htmldata">Why are HTML messages a security risk?</a></li>
+ <li><a name="htmlexchow" href="security.html#htmlexchow">So how can I exclude HTML mail?</a></li>
<li><a name="attachments" href="security.html#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
<li><a name="suid" href="security.html#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
Index: security.html
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/doc/faq/security.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** security.html 18 Dec 2002 05:55:21 -0000 1.4
--- security.html 2 Jan 2003 05:46:01 -0000 1.5
***************
*** 20,23 ****
--- 20,24 ----
<li><a href="#mhonarc_db">How can I prevent web access to <tt>.mhonarc.db</tt> files?</a></li>
<li><a href="#htmldata">Why are HTML messages a security risk?</a></li>
+ <li><a href="#htmlexchow">So how can I exclude HTML mail?</a></li>
<li><a href="#attachments">Why doesn't MHonArc, by default, use the specified filename when saving attachments?</a></li>
<li><a href="#suid">Is it okay to run <tt>mhonarc</tt> setuid?</a></li>
***************
*** 86,90 ****
</p>
! <p>Practically, all web servers provide the ability deny access
to files. Refer to your web server's documentation for the specifies.
If you are using the <a href="http://httpd.apache.org/">Apache HTTP server</a>,
--- 87,116 ----
</p>
! <p>There are multiple solutions to preventing access to database
! files:
! </p>
!
! <ul>
! <li><p>In v2.6, and later, the
! <a href="../resources/dbfileperms.html">DBFILEPERMS</a> resource
! exists to control the file permissions of the database file. By default,
! the resource is set to a value that denies world read access. If the
! archive files are owned by a different user ID than the web server
! process (which is normally the case), then access to database files
! will be denied.
! </p>
! <table class="note" width="100%">
! <tr valign="baseline">
! <td><strong>NOTE:</strong></td>
! <td width="100%"><p>DBFILEPERMS is applicable to Unix-based systems.
! Therefore, if using a different operating system, you may have to
! use one of the other solutions to deny access.
! </p>
! </td>
! </tr>
! </table>
! </li>
!
! <li><p>Practically, all web servers provide the ability deny access
to files. Refer to your web server's documentation for the specifies.
If you are using the <a href="http://httpd.apache.org/">Apache HTTP server</a>,
***************
*** 106,115 ****
the actual archive associated with database file.
</p>
! <p>An alternative to a web server-based solution, you can use the
! <a href="../resources/dbfile.html">DBFILE</a> resource to place the database file in a non-web server
! accessible location by specifying a full pathname of the database file
! to use. </p>
!
<table class="note" width="100%">
<tr valign="baseline">
--- 132,141 ----
the actual archive associated with database file.
</p>
+ </li>
! <li><p><a href="../resources/dbfile.html">DBFILE</a> resource can
! be set to a full pathname that is in a non-web server
! accessible location.
! </p>
<table class="note" width="100%">
<tr valign="baseline">
***************
*** 122,125 ****
--- 148,154 ----
</tr>
</table>
+ </li>
+
+ </ul>
<!-- ??????????????????????????????????????????????????????????????? -->
***************
*** 165,170 ****
minimize security exploits. Check the document for full details.
The general recommendation for the security conscience is to exclude
! any HTML message data via the <a href="../resources/mimeexcs.html">MIMEEXCS</a> resource, especially
! for publicly accessible archives. </p>
<!-- ??????????????????????????????????????????????????????????????? -->
--- 194,242 ----
minimize security exploits. Check the document for full details.
The general recommendation for the security conscience is to exclude
! any HTML message data (see <a href="#htmlexchow">next question</a>).
!
! <!-- ??????????????????????????????????????????????????????????????? -->
! <hr noshade size=1>
! <table border=0>
! <tr valign=top><td><img src="monicon.png" align="bottom" alt=""></td><td>
! <h3><b><a name="htmlexchow">So how can I exclude HTML mail?</a></b></h3>
! </td></tr></table>
!
! <p>The quickest method is
! via the <a href="../resources/mimeexcs.html">MIMEEXCS</a> resource:
! <p>
! <pre class="code">
! <b><MIMEExcs></b>
! text/html
! text/x-html
! <b></MIMEExcs></b>
! </pre>
!
! <p>Unfortunately, for messages that contain only HTML data, the
! entire message body will be excluded. Therefore, you may still
! want to show the data, but have it so the HTML markup is completely
! neutralized. The following resource settings will neutralize the
! dangers of HTML messages without excluding message data:
! </p>
!
! <pre class="code">
! <!-- It is common for popular MUA's to provide a text/plain version
! of the text/html version of a message body. Therefore, we
! use MIMEALTPREFS to choose the text/plain version if available.
! -->
! <b><a href="../resources/mimealtprefs.html"><MimeAltPrefs></a></b>
! text/plain
! text/html
! <b></MimeAltPrefs></b>
!
! <!-- For messages that do not have a text/plain alternative, we
! treat HTML data as text/plain so the content is not lost, but
! HTML markup is escaped and neutralized.
! -->
! <b><a href="../resources/mimefilters.html"><MIMEFilters></a></b>
! text/html; m2h_text_plain::filter; mhtxtplain.pl
! text/x-html; m2h_text_plain::filter; mhtxtplain.pl
! <b></MIMEFilters></b>
! </pre>
<!-- ??????????????????????????????????????????????????????????????? -->
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV