Re: Eudora 3.0 for PC and MHonArc

1998-09-26 01:46:49
On Fri, 25 Sep 1998, Earl Hood wrote:

On September 25, 1998 at 14:03, "John R. LoVerso" wrote:

Being that 2.3 supports it, can't you just make "usenameext" the default
option for the application/octet-stream filter?  This is much more likely
to stop this question from being asked over and over than ho

No, it will never be the default.  "usenameext" opens create a security
hole.  For example, I can send a message with a filename of ".htpasswd".

Sorry to write a "me too" message.  But this point is extremely important.
Email systems that use the file name to transmit or receive info about the
content are very very broken.  They fail to understand how and why the
MIME standards divide responsiblity between sender and recipient.

The sender is responsible for providing content-type information.  It may
base its choice on the extension or on magic or on whatever.  That is its
choice.  But a file with a name ending in .doc may be an RTF file on some
systems, it may be an MS-Word file on other systems, and it may be
formatted ASCII text on other systems.  MIME is designed to allow
different systems their freedom in this regard, and even to allow systems
that don't have file names at all.

Maybe on my webserver, I use .msword for application/msword files, and
.doc for text/plain.  I certainly don't want to use the senders file
name convention which may be different from mine.

And the security issue of letting the sender determine the file name
something should be saved as on my system is extremely serious.

The sender has the responsibility to tell me the contest-type as
the content-type.  If they persistently don't then their mailer is broken.
If the recipient system tries to guess based on file name, it is just
encouraging broken systems.


Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
 Cranfield Computer Centre      FAX         751 814
Relativism is the triumph of authority over truth, convention over justice.