Re: [Evolution] evolution doesn't seem to handle inlined content securely



Hi Jeffrey

Thanks a lot for your fast answer!!

On Thu, 2003-08-14 at 20:46, Jeffrey Stedfast wrote:

On Thu, 2003-08-14 at 14:13, Andreas Wüst wrote:
Hi

Am I right that evolution doesn't seem to do no better than outlook when
it comes to inlined data?

If you get an email sporting a line like

    <img src="cid:blablabla">

and attached you get a file with a

    Content-ID: blablabla

string, evolution tries to to display this stuff inline, no?

yes and no...


And since most of these attachements are virus today, the user is no
better off than an outlook user?!

Please correct me, if this isn't so! But, e.g. what happens, when you
receive an email with an attachment blabla.scr, and the mime type is
audio/wav, an this file is inlined by the above tag, then evolution
tries to view (play) it (of course it's not a wav file, just look at the
file suffix, it's just some viral code)?

well, since the attachment won't be able to load as an image file,
nothing will happen. you'll get an iframe box or something with nothing
in it.

Uhhm, yes, I just got the Header, and then nothing (or a small black
point). The mail consisted only of the iframe stuff (and the
attachement).

There is obviously no button which you could press to view the
attachement, since it's getting viewed inline. Is there any way to
prevent evolution from doing so?

evolution will ONLY display stuff inline if it:

1. has a builtin handler (which is basically limited to image handlers
and vcard/ical stuff - ie stuff that is "safe". as with all things, it's
possible that the data may cause gtk's image loading code to crash or
evo's addressbook/calendar control code to crash...)

Well, I guess it's not a that big problem it it crashes. As long as
there's no vulnerability in the image loading code, it's ok.

But, what happens if the attachement is of mime type image/jpeg and
there's not a jpeg in but a virus? Will evolution just fail to load the
image and let the user know by a requester, or will there just be a
blank space?

2. or if you:
  a) have a bonobo control capable of handling the specified mime type

and

  b) configured your MIME-types & Applications control centre crapplet
to use this bonobo control for viewing these types

Hmm, obviously seems to be the case.

and

  c) EXPLICTLY allow Evolution to use bonobo-controls of for this
mime-type (which is only configurable via gconf - there is no UI for
this so you have to be a bit of a hacker to find/set it in the first
place)

Well, you never know what your friendly package maintainer does ;) Which
file of the gconf database should I check?

But there is still the question what happens if the player or viewer
gets called, but the file to view or play is not a correct file?

So as far as I'm aware, Evolution is a LOT safer than Outlook in this
reguard. If you find logic mistakes in our reasoning, please let us
know.

No, there are no logic mistakes, but some minor steps to check
(vulnerability of viewer code, feedback to user if something was tried
to display but failed, ..). But I would still prefere a global option to
stop evolution displaying anything but text, or to turn off html
rendering at all (no, not the show email source option).

-- 
Sorry if I sound a bit picky, I just want to use a highly secure email
client (paired with a lot of comfort).

Best wishes,
Andi




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]