On 11/05/2006 02:48:40 PM Sun, Johan Brannlund wrote: [ snip ] > Here's a link to a related advisory for Outlook: > > http://secunia.com/advisories/19819/
...and I'd hate to see Linux apps, esp. Balsa, showing up in advisories like that! Thanks for the link. >> Perhaps Balsa should just pop up the attach-file dialog with the target >> file pre-selected, so that the user has to verify that it's OK to send. > > What if there are multiple attachments? Depends on how it's implemented--most likely, you deal with one dialog, then the next pops up, etc. Alternatively, Balsa could check to see if all attachments are in the same directory, and offer one dialog with them all preselected--just a little more work--patches always welcome! > I'm still not convinced that the issue is worth worrying about, but I > can think of a few other ways of mitigating the problem: > > 1. Only allow automatic attachment of files in ~ and /tmp. Yes, any other file would deserve a LOUD warning. Also any path with a component beginning with "." (might be a config file/directory) and any path containing "../". > 2. Detect if Balsa is launched from a web browser (is this possible?) > and not allow any automatic attachments in that case. I don't know if Balsa can detect that. Also, it might be too draconian--not all websites are malicious. To my mind, one "OK" click from the user, meaning "Yes, I approve sending this/these files", isn't too much to ask for. Peter _______________________________________________ balsa-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/balsa-list
