Re: MIME disable option? (hopefully not FAQ)

From: Craig A Summerhill <craig_at_cni.org_at_hypermail-project.org>
Date: Tue, 20 Apr 1999 10:55:29 -0400 (EDT)
Message-Id: <9904201455.AA06680_at_a.cni.org>


On Tue, 20 Apr 1999, Tom von Alten <tom_vonalten_at_boi.hp.com> wrote:
>
> Craig A Summerhill <craig_at_cni.org> wrote:
> >
> > Finally, I would propose a fourth (4) option for an approach to handling
> > MIME attachments:
> ...
> > o have hypermail send an e-mail note to the web administrator
> > (or otherwise defined administrator) telling them to review
> > the file and change the permissions to 644 on the file in
> > order to make it accessible. Thus, the markup of the base
>
> This last one is not something we'd undertake on our intranet, as the volume
> of attachments would make it prohibitive.
>
> I thought of a simpler approach. What if we just prefix user names with
> something innocuous? Add on "x-" or some such, so
> .htaccess -> xhm-.htaccess
> for example.

Hey Tom,

That's actually quite simple, and elegant. Good idea!

The only down side of it I can think of would be be an issue of transporting the file across file systems. If the web DocumentRoot also happens to be a Samba or netatalk share, the prefix could break certain types of file mappings. The only one I can think of for sure are shares where the file names are being forced to 8.3 (DOS filenames) on the client side, but there might be others.

Nevertheless, I think that is a small price to pay for the added security. I can't imagine people wanting to use a file system share to transport the file anyway, given that it can be delivered up through a web browser. But I see people doing some strange things with Samba and netatalk on the lists I hang out on...

P.S. Along the same vein, isn't hypermail 2.x already substituting an arbitrary name for the attachment when it gets written to disk? As I recall, all the MIME attachments are named something like 'binNNNN' where NNNN is a numeric string that corresponds to the NNNN.html file to which it is linked. As long as hypermail doesn't ever use the user supplied name for the MIME attachment, there should not be a problem. Even if file bin1234.txt has valid .htaccess commands in it, the web browser isn't going to be looking for it.

Were we hunting for a problem here that doesn't really exist? Is there any case, Daniel, where hypermail writes the file to its user given name?

-- 

   Craig A. Summerhill, Systems Coordinator and Program Officer
   Coalition for Networked Information
   21 Dupont Circle, N.W., Washington, D.C.   20036
   Internet: craig_at_cni.org   AT&Tnet (202) 296-5098
Received on Tue 20 Apr 1999 04:59:11 PM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:11 AM GMT GMT