On Sun, Aug 20, 2000 at 10:46:41AM +0700, Oskar Sandberg wrote: > On Sat, Aug 19, 2000 at 10:10:21PM -0400, Travis Bemann wrote: > <> > > All it tells about the content of the metadata is whether it is FNP or > > XML. You have to be *really* paranoid to consider this a security > > hole. I just consider this unnecessary. > > I consider this is a security hole, and I will not have it. Putting the > metadata-length in a visible field is bad enough, and we only did that > because we figured there could be a concievable use for being able to send > back only the meta-data.
IMHO the metadata length field is a far bigger security hole than this. Actually, we should get rid of *all* length fields, and replace them with a blank line or a line containing 'Data' in the case of metadata and escape codes for normal data. -- Travis Bemann Sendmail is still screwed up on my box. My email address is really bemann at execpc.com. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1138 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20000819/49120670/attachment.pgp>
