Re: Eudora 3.0 for PC and MHonArc

1998-09-25 16:30:34
On September 25, 1998 at 16:26, "John R. LoVerso" wrote:

No, it will never be the default.  "usenameext" opens create a security
hole.  For example, I can send a message with a filename of ".htpasswd".

Not "usename", but "usenameext".  If you send such a filename, won't
MHonArc just create the file called "bin00001.htpasswd"?

Actually: "htp00001.htpasswd".  The prefix is derived from the extension.

Hmmm, cannot think of any security problems off-hand.  You still have a
problem with extension ambiguity and content-type vs extension
conflicts.  I.e.  There is no way to guarantee that the extension
provided matches the supplied content-type.  For example, content-type
equals application/postscript but the filename given is "file.doc".  Or
more likely, text/plain with a filename of "title.doc".  Plus, not
everyone/system use extensions.

It is trivial for people to add "usenameext" if they want it.  Keying
off the content-type is the proper way to do things.  Deviations should
not be the default, and should only occur if the user requests it.


             Earl Hood              | University of California: Irvine
      ehood(_at_)medusa(_dot_)acs(_dot_)uci(_dot_)edu      |      Electronic 
Loiterer | Dabbler of SGML/WWW/Perl/MIME