mhonarc-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bug #2051] Query string including 'action=' not handled properly

2002-12-29 09:21:48
from [Earl Hood] [Permanent Link] 
On December 29, 2002 at 00:21, Gunnar Hjalmarsson wrote:


  Content-Type: multipart/mixed; boundary="XXXXX"

  --XXXXX
  Content-Type: text/html

  <img
  --XXXXX
  Content-Type: text/html

  src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";>
  --XXXXX--

The final HTML message page will contain the following:

  <img src="http://www.mhonarc.org/MHonArc/logo/mhastampw_t.png";>

I.e. An auto-loaded URL got by the filtering.


I tested the above, and it got by the filtering also with the original 
code. Would suggest that you take a closer look at it.


Can you provide your test case?  The above did get filtered from my
tests.  Of course, if allownoncidurls is in effect, the above
will pass through.


I am reluctant to loosen up the filtering code at this time due to
XSS issues since I am not confident that any kind of loosening cannot
be exploited


Okay, I respect that, and I admit that the example I posted in the bug 
isn't very common...  I'll refrain from further suggestions for a while. ;-)


Suggestions are always good along with others examining the code.

The limitation you cite has been brought up before by a different user
a long time ago.  Since the best solution would require real HTML
parsing, dealing with the limitation has been a back burner item.
It is a limitation that I would like to address at sometime since
valid content data can be "magically" deleted.  For example, say you
included some sample code in your message that includes strings like

  src="..."

the text will be removed since the filtering does not descriminate
what is and is not in a tag.  The example you provided, "action=",
is more complex since it requires knowing context within a tag:
an attribute name vs an attribute value.

Due to the inherent security problems with HTML in email, keeping
the limitation around may encourage users to exclude HTML mail from
their archives :-)

The limitation is probably worth noting in the documentation.

--ewh

P.S. If people want fonts and all that jazz in their messages, the
text/enriched media-type has existed for a long time, and it does
not introduce the security problems that text/html does.

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bug #2051] Query string including 'action=' not handled properly, Gunnar Hjalmarsson
Next by Date:  Re: [Bug #2080] Redundant substitution, Earl Hood
Previous by Thread:  Re: [Bug #2051] Query string including 'action=' not handled properly, Gunnar Hjalmarsson
Next by Thread:  Re: [Bug #2051] Query string including 'action=' not handled properly, Gunnar Hjalmarsson
Indexes:  [Date] [Thread] [Top] [All Lists]