Re: [Evolution-hackers] CVE-2011-3201 Issue in evolution
- From: Matthew Barnes <mbarnes redhat com>
- To: Vibha Yadav <yvibha suse com>
- Cc: evolution-hackers gnome org
- Subject: Re: [Evolution-hackers] CVE-2011-3201 Issue in evolution
- Date: Mon, 12 Sep 2011 09:17:57 -0400
On Mon, 2011-09-12 at 00:40 -0600, Vibha Yadav wrote:
> I have following list of files to be blacklisted:
I know we discussed this already, but just to clarify for others: the
blacklist only applies to "attach" parameters in mailto: URLs. You can
still attach any file manually in the composer window.
I think instead of the blacklist consisting entirely of individual file
names, which we'll constantly have to amend, you can eliminate most of
these and be pretty darn future-proof by applying the following rules:
- No hidden files (e.g. ".foo").
- No files in hidden directories (e.g. ".secret/foo").
- No files under /etc.
- No files with ".." as a path component.
That leaves only a few individual files in the blacklist, which we can
amend as needed.
When eliminating a file attachment in a mailto: URL, print a message to
the terminal stating so -- "suspicious attachment $FILENAME was removed
for security" -- or something thereabouts.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
