Re: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]

From: Dan Winship <danw ximian com>
To: Richard Bellavance <richard bellavance enter-net com>
Cc: evolution ximian com
Subject: Re: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]
Date: 27 Sep 2002 12:27:01 -0400

On Fri, 2002-09-27 at 11:48, Richard Bellavance wrote:

I hope support for this aberration will not be integrated into
Evolution...


It's not an aberration, and it's not a security hole. The only reason
why some people consider this a security problem is because they were
trying to pretend that you can make insecure email clients secure by
just filtering what gets to them. Surprise! You can't!

At least, 1.0.8 does not seem to support it.


Evo actually did used to support message/external-body. (The code
bitrotted when the attachment display code changed somewhere around
0.9.) It displayed the attachment as a link you could click on if you
wanted to fetch the body. And so if someone sent you a message with an
external-body pointing to a trojan horse program, then when you click on
it... it would ask you what directory you wanted to save the file in.
Exactly the same as if it arrived in an attachment. No security problem
here.

-- Dan

References:
- [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]
  - From: Richard Bellavance

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]