mhonarc-dev

[Bug #373] Non-HTML data looking like URLs can be modified.

2002-07-26 12:41:47

=================== BUG #373: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=373&group_id=1968

Changes by: Earl Hood <earl(_at_)earlhood(_dot_)com>
Date: 2002-Jul-26 14:41 (US/Central)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Wont Fix
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
I plan to never fix this since security is more important.
I also think that it is not worth the performance hit to do
full HTML parsing to fix the problem.

If someone ends up contributing a filter that does full
parsing and other snazzy stuff, I have no objects in
including it in the MHonArc distribution.



=================== BUG #373: FULL BUG SNAPSHOT ===================


Submitted by: ehood                     Project: MHonArc                        
Submitted on: 2002-May-10 00:18
Category:  MIME Filter                  Severity:  1 - Ordinary                 
Bug Group:  Undesired Behavior          Resolution:  Wont Fix                   
Assigned to:  ehood                     Status:  Closed                         
Platform Version:  All                  Effort:  0.00                           
Component Version:                      Fixed Release:                          

Summary:  Non-HTML data looking like URLs can be modified.

Original Submission:  Non-HTML tag data that matches image/auto-loaded 
attribute strings (e.g: src="...") can be modified during CID url resolution or 
URL rewriting during base href resolution within the mhtxthtml.pl filter.

A complete solution would require full HTML parsing, but this would incur a 
performance penalty. The current set of regular expressions are intended to 
deal with security issues but minimize any performance penalties. Unclear if 
existing html filter should be modified or a separate, more robust filter, can 
be created, and allow users to choose which one they want. Contributors welcome 
for developing a robust HTML filter.


Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Jul-26 14:41             By: ehood
I plan to never fix this since security is more important.
I also think that it is not worth the performance hit to do
full HTML parsing to fix the problem.

If someone ends up contributing a filter that does full
parsing and other snazzy stuff, I have no objects in
including it in the MHonArc distribution.




No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=373&group_id=1968

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV

<Prev in Thread] Current Thread [Next in Thread>
  • [Bug #373] Non-HTML data looking like URLs can be modified., nobody <=