=================== BUG #373: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=373&group_id=1968
Changes by: Earl Hood <earl(_at_)earlhood(_dot_)com>
Date: 2002-Jul-26 14:41 (US/Central)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Wont Fix
Status | Open | Closed
------------------ Additional Follow-up Comments ----------------------------
I plan to never fix this since security is more important.
I also think that it is not worth the performance hit to do
full HTML parsing to fix the problem.
If someone ends up contributing a filter that does full
parsing and other snazzy stuff, I have no objects in
including it in the MHonArc distribution.
=================== BUG #373: FULL BUG SNAPSHOT ===================
Submitted by: ehood Project: MHonArc
Submitted on: 2002-May-10 00:18
Category: MIME Filter Severity: 1 - Ordinary
Bug Group: Undesired Behavior Resolution: Wont Fix
Assigned to: ehood Status: Closed
Platform Version: All Effort: 0.00
Component Version: Fixed Release:
Summary: Non-HTML data looking like URLs can be modified.
Original Submission: Non-HTML tag data that matches image/auto-loaded
attribute strings (e.g: src="...") can be modified during CID url resolution or
URL rewriting during base href resolution within the mhtxthtml.pl filter.
A complete solution would require full HTML parsing, but this would incur a
performance penalty. The current set of regular expressions are intended to
deal with security issues but minimize any performance penalties. Unclear if
existing html filter should be modified or a separate, more robust filter, can
be created, and allow users to choose which one they want. Contributors welcome
for developing a robust HTML filter.
Follow-up Comments
*******************
-------------------------------------------------------
Date: 2002-Jul-26 14:41 By: ehood
I plan to never fix this since security is more important.
I also think that it is not worth the performance hit to do
full HTML parsing to fix the problem.
If someone ends up contributing a filter that does full
parsing and other snazzy stuff, I have no objects in
including it in the MHonArc distribution.
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=373&group_id=1968
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV