Re: [Evolution] evolution doesn't seem to handle inlined content securely

From: Not Zed <notzed ximian com>
To: Andreas Wüst <awuest swissonline ch>
Cc: Evolution Mailinglist <evolution lists ximian com>
Subject: Re: [Evolution] evolution doesn't seem to handle inlined content securely
Date: Sun, 17 Aug 2003 13:34:46 -0400

I guess it would be possible to only show text, if anyone was that
concerned about it, but as you say it would require a patch.

On Sat, 2003-08-16 at 09:38, Andreas Wüst wrote:

Hi

Thanks for your answer!

On Fri, 2003-08-15 at 02:21, Not Zed wrote:

I might also add that this is functionality is absolutely required to
implement html email.  e.g. the introduction email that comes with
evolution.

Its up to the image library to handle it, so yes you could exploit holes
in libjpeg or gdk-pixbuf if they existed.

The alternative is to only allow the display of text ...


Wouldn't it be possible to use the html rendering widget only for the
headers (just to get the nice box), the body of the mail gets displayed
using a text box?

Since the headers are being preprocessed anyway if you use full html
rendering, you could simply reuse the header preprocessor method, and
feed the rest of the mail to a text box.

I am sorry I can't provide a patch for this., ;)

On Thu, 2003-08-14 at 14:13, Andreas Wüst wrote:

Hi

Am I right that evolution doesn't seem to do no better than outlook when
it comes to inlined data?

If you get an email sporting a line like

  <img src="cid:blablabla">

and attached you get a file with a

  Content-ID: blablabla

string, evolution tries to to display this stuff inline, no?

And since most of these attachements are virus today, the user is no
better off than an outlook user?!

Please correct me, if this isn't so! But, e.g. what happens, when you
receive an email with an attachment blabla.scr, and the mime type is
audio/wav, an this file is inlined by the above tag, then evolution
tries to view (play) it (of course it's not a wav file, just look at the
file suffix, it's just some viral code)?

There is obviously no button which you could press to view the
attachement, since it's getting viewed inline. Is there any way to
prevent evolution from doing so?

References:
- [Evolution] evolution doesn't seem to handle inlined content securely
  - From: Andreas =?ISO-8859-1?Q?W=FCst?=
- Re: [Evolution] evolution doesn't seem to handle inlined content securely
  - From: Not Zed
- Re: [Evolution] evolution doesn't seem to handle inlined content securely
  - From: Andreas =?ISO-8859-1?Q?W=FCst?=

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]