Re: [PATCH] Attachments in mailto: URLs
- From: Peter Bloomfield <peterbloomfield bellsouth net>
- To: balsa-list gnome org
- Subject: Re: [PATCH] Attachments in mailto: URLs
- Date: Sun, 05 Nov 2006 15:21:07 -0500
On 11/05/2006 02:48:40 PM Sun, Johan Brannlund wrote:
[ snip ]
Here's a link to a related advisory for Outlook:
http://secunia.com/advisories/19819/
...and I'd hate to see Linux apps, esp. Balsa, showing up in advisories
like that! Thanks for the link.
Perhaps Balsa should just pop up the attach-file dialog with the target
file pre-selected, so that the user has to verify that it's OK to send.
What if there are multiple attachments?
Depends on how it's implemented--most likely, you deal with one dialog,
then the next pops up, etc. Alternatively, Balsa could check to see if
all attachments are in the same directory, and offer one dialog with them
all preselected--just a little more work--patches always welcome!
I'm still not convinced that the issue is worth worrying about, but I
can think of a few other ways of mitigating the problem:
1. Only allow automatic attachment of files in ~ and /tmp.
Yes, any other file would deserve a LOUD warning. Also any path with a
component beginning with "." (might be a config file/directory) and any
path containing "../".
2. Detect if Balsa is launched from a web browser (is this possible?)
and not allow any automatic attachments in that case.
I don't know if Balsa can detect that. Also, it might be too
draconian--not all websites are malicious.
To my mind, one "OK" click from the user, meaning "Yes, I approve sending
this/these files", isn't too much to ask for.
Peter
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]