Re: [PATCH] Attachments in mailto: URLs

[Peter Bloomfield <peterbloomfield bellsouth net>]

On 11/05/2006 02:48:40 PM Sun, Johan Brannlund wrote:
[ snip ]
> Here's a link to a related advisory for Outlook:
>
> http://secunia.com/advisories/19819/

...and I'd hate to see Linux apps, esp. Balsa, showing up in advisories  
like that!  Thanks for the link.

> > Perhaps Balsa should just pop up the attach-file dialog with the target  
> > file pre-selected, so that the user has to verify that it's OK to send.
>
> What if there are multiple attachments?

Depends on how it's implemented--most likely, you deal with one dialog,  
then the next pops up, etc.  Alternatively, Balsa could check to see if  
all attachments are in the same directory, and offer one dialog with them  
all preselected--just a little more work--patches always welcome!

> I'm still not convinced that the issue is worth worrying about, but I
> can think of a few other ways of mitigating the problem:
>
> 1. Only allow automatic attachment of files in ~ and /tmp.

Yes, any other file would deserve a LOUD warning.  Also any path with a  
component beginning with "." (might be a config file/directory) and any  
path containing "../".

> 2. Detect if Balsa is launched from a web browser (is this possible?)  
> and not allow any automatic attachments in that case.

I don't know if Balsa can detect that.  Also, it might be too  
draconian--not all websites are malicious.

To my mind, one "OK" click from the user, meaning "Yes, I approve sending  
this/these files", isn't too much to ask for.

Peter