Re: [Bug #2051] Query string including 'action=' not handled properly

2002-12-29 09:21:48
On December 29, 2002 at 00:21, Gunnar Hjalmarsson wrote:

  Content-Type: multipart/mixed; boundary="XXXXX"

  Content-Type: text/html

  Content-Type: text/html


The final HTML message page will contain the following:

  <img src="";>

I.e. An auto-loaded URL got by the filtering.

I tested the above, and it got by the filtering also with the original 
code. Would suggest that you take a closer look at it.

Can you provide your test case?  The above did get filtered from my
tests.  Of course, if allownoncidurls is in effect, the above
will pass through.

I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
be exploited

Okay, I respect that, and I admit that the example I posted in the bug 
isn't very common...  I'll refrain from further suggestions for a while. ;-)

Suggestions are always good along with others examining the code.

The limitation you cite has been brought up before by a different user
a long time ago.  Since the best solution would require real HTML
parsing, dealing with the limitation has been a back burner item.
It is a limitation that I would like to address at sometime since
valid content data can be "magically" deleted.  For example, say you
included some sample code in your message that includes strings like


the text will be removed since the filtering does not descriminate
what is and is not in a tag.  The example you provided, "action=",
is more complex since it requires knowing context within a tag:
an attribute name vs an attribute value.

Due to the inherent security problems with HTML in email, keeping
the limitation around may encourage users to exclude HTML mail from
their archives :-)

The limitation is probably worth noting in the documentation.


P.S. If people want fonts and all that jazz in their messages, the
text/enriched media-type has existed for a long time, and it does
not introduce the security problems that text/html does.

To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the