I'm definitely in favor of, by default, disabling anything that
causes automatic external data fetches to sites I might be
unaware of!
Bob
On Sun, 27 May 2018 10:15:29 -0400 Ken Hornstein <kenh@pobox.com> sez:
I don't know. History, probably.
We used to assume everyone played nice.
nmh-access-{ftp,url} were added less than 4 years ago. Ken,
should we revisit? I don't have strong feelings, the only
messages I've received that use it are from you and Ralph.
So, I read Anthony's email, and while I don't agree with all of
his concerns I do understand where he is coming from.
My reading of the historical MH code is that it would always
try to fetch external-body content. But ... the assumption in
MH 6.8 was that MIME content was rare and presumably a human
would look at it before they would run "mhn". The
external-body methods supported in MH 6.8 were "afs",
"anon-ftp", "ftp", "local-file", and "mail-server". I think
"ftp", "anon-ftp", and "mail-server" probably were at a similar
level of danger to "url" today.
Thinking about the history ... along the way we moved towards
always parsing MIME messages (because most messages nowadays
are), which meant that external-body content would always be
displayed (BTW, "turns out "mhn-access-ftp" was supported even
back in MH 6.8). I added the URL support and my motivation
there was really just updating the MIME support to more modern
stuff, I went along with how the ftp support worked and didn't
think about the larger concerns.
I think maybe the smartest thing to do would be to default to
NOT displaying any external content in nmh when viewing content
with show(1)/mhshow(1), but instead just show the MIME
paramters to the user. Then a user could chose to display that
with -showexternal (or whatever). A more trusting user could
add -showexternal to their profile. That might have to wait a
while, though. Thoughts?
--Ken
--
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers
--
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers