From: Daniel Stenberg (daniel@haxx.se)
Date: Tue Nov 13 2001 - 10:19:58 CST
On Mon, 12 Nov 2001, Franklin DeMatto wrote:
> Can a user sneak nasty HTML into a message? Using <PRE> does not
> suffice, as an evil user can close it with </PRE>. Ideally, there should
> be a setting to convert any < and > into < and > , so that no evil
> HTML can get in. The entire message would need to be scanned. Of course,
> this would only work for text/plain, not text/html.
I believe that is being done. Otherwise wouldn't all those funny fake tags
get shown:
<aol>
me too
</aol>
> Has hypermail been audited for other security issues?
Not explicitly, not to my knowledge at least.
> Buffer overflows,
A long time ago I did go through pretty much all the hypermail code and
removed all the static buffer sizes of that time (with or without length
checks). Before that, hypermail was ridden with lots of buffer overflow
potentials. Of course, we might have missed some cases and we might have
added new ones since.
> and creation of local files with evil names (such as unwanted extensions)
> or properties (such as double dots in paths or x-bit on) come to mind.
Hm, yes. This might be possible. I can't recall off the top of my head how
hypermail treats all file names passed to it in attachments etc.
--
Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol