[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Eudora 3.0 for PC and MHonArc



NEW DEVELOPMENT - The image appears in the message when sent by a different
PC - my configuration could be messed up or Eudora may need to be
reinstalled. Thanks everyone for all the suggestions.

AK

At 01:48 PM 9/25/98 -0700, Earl Hood wrote:
>On September 25, 1998 at 16:26, "John R. LoVerso" wrote:
>
>> > No, it will never be the default.  "usenameext" opens create a security
>> > hole.  For example, I can send a message with a filename of ".htpasswd".
>> 
>> Not "usename", but "usenameext".  If you send such a filename, won't
>> MHonArc just create the file called "bin00001.htpasswd"?
>
>Actually: "htp00001.htpasswd".  The prefix is derived from the extension.
>
>Hmmm, cannot think of any security problems off-hand.  You still have a
>problem with extension ambiguity and content-type vs extension
>conflicts.  I.e.  There is no way to guarantee that the extension
>provided matches the supplied content-type.  For example, content-type
>equals application/postscript but the filename given is "file.doc".  Or
>more likely, text/plain with a filename of "title.doc".  Plus, not
>everyone/system use extensions.
>
>It is trivial for people to add "usenameext" if they want it.  Keying
>off the content-type is the proper way to do things.  Deviations should
>not be the default, and should only occur if the user requests it.
>
>	--ewh
>
>----
>             Earl Hood              | University of California: Irvine
>      ehood@medusa.acs.uci.edu      |      Electronic Loiterer
>http://www.oac.uci.edu/indiv/ehood/ | Dabbler of SGML/WWW/Perl/MIME
>
>
>