On Wed, 01 Nov 2006 08:57:42 -0500, Peter Bloomfield wrote: > On reflection, implementing "attach=file" has some security implications. > Clicking "mailto:[EMAIL PROTECTED]/etc/passwd" > on a random web page would probably be a bad idea.
Here's a link to a related advisory for Outlook: http://secunia.com/advisories/19819/ > Perhaps Balsa should just pop up the attach-file dialog with the target > file pre-selected, so that the user has to verify that it's OK to send. What if there are multiple attachments? I'm still not convinced that the issue is worth worrying about, but I can think of a few other ways of mitigating the problem: 1. Only allow automatic attachment of files in ~ and /tmp. 2. Detect if Balsa is launched from a web browser (is this possible?) and not allow any automatic attachments in that case. Regards, Johan _______________________________________________ balsa-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/balsa-list
