Re: MIME encodings when dealing with adding the footer
On Thu, Dec 13, 2007 at 12:49:14PM +0100, Morten K. Poulsen wrote:
> On Thu, 2007-12-13 at 14:18 +0300, Peter Volkov wrote:
> > ?? ??????, 13/12/2007 ?? 11:31 +0100, Morten K. Poulsen ??????????:
> > > Long answer: MIME parsing has been a source of vulnerabilities in almost
> > > every single piece of software which attempts to parse MIME encoded
> > > messages. Mlmmj can - in any normal installation - be triggered
> > > remotely. It's a trade-off. I have made the decision to leave out MIME
> > > parsing. I do not plan to add it, nor do I plan to accept patches which
> > > add it.
> > Morten, but then footer feature should be dropped from mlmmj as it does
> > not work and breaks mails. Or at least big red notice should be added...
> > What do you think about this?
> Yes, a word of warning in the readme might be a good idea.
Could we have a limited feature then:
- If we think it is NOT safe to add the footer, then do not add it.
Cases where it is not safe:
1. The mail has more than one MIME part (not parse, just read the mail
2. The mail is not MIME, but is not safe encoding to muck with.
#2 was Peter's original case that he reported to me for the Gentoo lists,
a mail having the following headers:
Content-Type: text/plain; charset="utf-8"
Should NOT get a plaintext footer added, because it would cause the
base64 to not decode.