Re: Link considered unsafe
> Ted Zlatanov wrote: > On Mon, 10 Aug 2009 20:35:03 +0900 Katsumi Yamaoka wrote: > ... KY> The patch that uses it is below. There I made no change in mm-*.el KY> modules. What do you think about the option name and the macro name? > I think that's wonderful, and the default is exactly what it should be > (nnrss groups only). Thank you for taking the time to work on it. Installed in the Gnus trunk. I've changed the option name `gnus-safe-html-groups' into `gnus-safe-html-newsgroups' since the `-groups' suffix seems to be used for variables concerning group parameters. ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Mon, 10 Aug 2009 20:35:03 +0900 Katsumi Yamaoka wrote: ... KY> The patch that uses it is below. There I made no change in mm-*.el KY> modules. What do you think about the option name and the macro name? I think that's wonderful, and the default is exactly what it should be (nnrss groups only). Thank you for taking the time to work on it. Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
> Ted Zlatanov wrote: > On Tue, 04 Aug 2009 19:58:40 +0900 Katsumi Yamaoka wrote: KY> Maybe the groups can be controllable. For example: KY> (defcustom mm-w3m-safe-groups "\\`nnrss[+:]" KY> "Groups in which html articles are considered all safe. KY> The value may be a regexp matching those groups, a list of group names, KY> or nil. This overrides `mm-w3m-safe-url-regexp'.") > I think that's reasonable. Looks like mm-decode.el and mm-view.el need > to be modified. If no one else is interested I'll put it on my TODO list. I thought making mm-*.el modules depend on Gnus (i.e., referring to Gnus' variables like `gnus-newsgroup-name') is a wrong approach because not only Gnus but also MH-E uses them. So I changed it into the Gnus variable as follows: (defcustom gnus-safe-html-groups "\\`nnrss[+:]" "Groups in which links in html articles are considered all safe. The value may be a regexp matching those groups, a list of group names, or nil. This overrides `mm-w3m-safe-url-regexp' (which see). This is effective only when emacs-w3m renders html articles, i.e., in the case `mm-text-html-renderer' is set to `w3m'." :version "23.2" :group 'gnus-group-various :type '(choice regexp (repeat :tag "List of group names" (string :tag "Group")) (const nil))) The patch that uses it is below. There I made no change in mm-*.el modules. What do you think about the option name and the macro name? KY> BTW, don't all you know the way to access unsafe links? That is KY> `C-u RET' on links in html articles. > The problem is that calling the link "unsafe" scares the user. > Furthermore, demanding different (RET vs C-u RET) keyboard actions from > the user requires a mental context switch that distracts from the actual > goal (visiting the link). I see. --- gnus-group.el~ 2009-07-10 11:55:43 + +++ gnus-group.el 2009-08-10 11:31:28 + @@ -110,6 +110,17 @@ :group 'gnus-group-listing :type '(choice regexp (const nil))) +(defcustom gnus-safe-html-groups "\\`nnrss[+:]" + "Groups in which links in html articles are considered all safe. +The value may be a regexp matching those groups, a list of group names, +or nil. This overrides `mm-w3m-safe-url-regexp' (which see). This is +effective only when emacs-w3m renders html articles, i.e., in the case +`mm-text-html-renderer' is set to `w3m'." + :group 'gnus-group-various + :type '(choice regexp + (repeat :tag "List of group names" (string :tag "Group")) + (const nil))) + (defcustom gnus-list-groups-with-ticked-articles t "*If non-nil, list groups that have only ticked articles. If nil, only list groups that have unread articles." --- gnus-art.el~ 2009-07-23 23:54:28 + +++ gnus-art.el 2009-08-10 11:31:28 + @@ -4740,6 +4740,17 @@ (vector (caddr c) (car c) :active t)) gnus-mime-button-commands))) +(defmacro gnus-bind-safe-url-regexp (&rest body) + "Bind `mm-w3m-safe-url-regexp' according to `gnus-safe-html-groups'." + `(let ((mm-w3m-safe-url-regexp + (if (cond ((stringp gnus-safe-html-groups) + (string-match gnus-safe-html-groups gnus-newsgroup-name)) + ((consp gnus-safe-html-groups) + (member gnus-newsgroup-name gnus-safe-html-groups))) + nil + mm-w3m-safe-url-regexp))) + ,@body)) + (defun gnus-mime-button-menu (event prefix) "Construct a context-sensitive menu of MIME commands." (interactive "e\nP") @@ -4765,7 +4776,7 @@ (or (search-forward "\n\n") (goto-char (point-max))) (let ((inhibit-read-only t)) (delete-region (point) (point-max)) - (mm-display-parts handles)) + (gnus-bind-safe-url-regexp (mm-display-parts handles))) (defun gnus-article-jump-to-part (n) "Jump to MIME part N." @@ -5267,7 +5278,7 @@ (when handle (if (mm-handle-undisplayer handle) (mm-remove-part handle) - (mm-display-part handle)) + (gnus-bind-safe-url-regexp (mm-display-part handle))) (defun gnus-mime-action-on-part (&optional action) "Do something with the MIME attachment at \(point\)." @@ -5488,7 +5499,7 @@ (save-restriction (narrow-to-region (point) (if (eobp) (point) (1+ (point - (mm-display-part handle) + (gnus-bind-safe-url-regexp (mm-display-part handle)) ;; We narrow to the part itself and ;; then call the treatment functions. (goto-char (point-min)) @@ -5767,7 +5778,7 @@ (set-buffer gnus-summary-buffer) (error)) gnus-newsgroup-ignored-charsets))) - (mm-display-part handle t)) + (gnus-bind-safe-url-regexp (mm-display-part handle t))) (goto-char (point-max))) ((and text not-attachment) (when move @@ -5903,7 +5914,7 @@ (mail-parse-ignored-charsets (with-current-buffer gnus-summary-buffer gnus-newsgroup-ignored-charsets))) - (mm-display-part preferred) + (gnus-bind-safe-url-regexp (mm-display-part preferred)) ;; Do highlighting. (save-
Re: Link considered unsafe
On Tue, 04 Aug 2009 19:58:40 +0900 Katsumi Yamaoka wrote: >> Ted Zlatanov wrote: >> - always allow image links in RSS (nnrss should set it, or mm-w3m-* >> should be aware it's inside a nnrss article buffer) KY> Maybe the groups can be controllable. For example: KY> (defcustom mm-w3m-safe-groups "\\`nnrss[+:]" KY> "Groups in which html articles are considered all safe. KY> The value may be a regexp matching those groups, a list of group names, KY> or nil. This overrides `mm-w3m-safe-url-regexp'.") KY> That looks good and easy to implement, though I have no time for KY> the moment. I think that's reasonable. Looks like mm-decode.el and mm-view.el need to be modified. If no one else is interested I'll put it on my TODO list. KY> BTW, don't all you know the way to access unsafe links? That is KY> `C-u RET' on links in html articles. The problem is that calling the link "unsafe" scares the user. Furthermore, demanding different (RET vs C-u RET) keyboard actions from the user requires a mental context switch that distracts from the actual goal (visiting the link). Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
> Ted Zlatanov wrote: > On Thu, 30 Jul 2009 16:03:39 -0700 (PDT) ky wrote: >>> Ted Zlatanov wrote: k> [...] >>> Actually I was wondering why it is unsafe to visit links in w3m. If >>> anything, w3m is the safest web browser I use daily, much better than >>> IE, Firefox, Chrome, Opera, or Safari because it doesn't even attempt to >>> run JavaScript. What personal information is this talking about? k> [...] k> We considered image tags, that will be accessed without clicking k> those links. By special letters laid in the url, spammers will k> know that your mail address is reachable. > The problems are: > 1) all image links are disabled because of this small improvement in security > 2) it's impossible to configure by a regular user, and (I would argue) > very hard even by an expert, with a regex. > I thought about it, and have some suggestions: > - always allow image links in RSS (nnrss should set it, or mm-w3m-* > should be aware it's inside a nnrss article buffer) Maybe the groups can be controllable. For example: (defcustom mm-w3m-safe-groups "\\`nnrss[+:]" "Groups in which html articles are considered all safe. The value may be a regexp matching those groups, a list of group names, or nil. This overrides `mm-w3m-safe-url-regexp'.") That looks good and easy to implement, though I have no time for the moment. > - allow a 'ask option so the user can build a whitelist of approved > servers, and save that whitelist > - allow image links if the headers or spam.el say it's not spam > I don't know what's the right approach, but I hope you will consider my > suggestions. > Ted BTW, don't all you know the way to access unsafe links? That is `C-u RET' on links in html articles. Regards, P.S. I'm going to go to the business trip, so I may not have time to read news for some time. ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
> Ted Zlatanov wrote: [...] > Actually I was wondering why it is unsafe to visit links in w3m. If > anything, w3m is the safest web browser I use daily, much better than > IE, Firefox, Chrome, Opera, or Safari because it doesn't even attempt to > run JavaScript. What personal information is this talking about? [...] We considered image tags, that will be accessed without clicking those links. By special letters laid in the url, spammers will know that your mail address is reachable. ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Thu, 30 Jul 2009 06:16:50 +0100 Paul Mead wrote: PM> Reiner Steib writes: >> ,[ (info "(emacs-mime)Display Customization") ] >> | `mm-w3m-safe-url-regexp' >> | A regular expression that matches safe URL names, i.e. URLs that >> | are unlikely to leak personal information when rendering HTML >> | email (the default value is `\\`cid:'). If `nil' consider all >> | URLs safe. >> ` >> Keep in mind that it is unsafe! >> PM> ...sure, but I can make that decision before clicking a link though, PM> can't I? Actually I was wondering why it is unsafe to visit links in w3m. If anything, w3m is the safest web browser I use daily, much better than IE, Firefox, Chrome, Opera, or Safari because it doesn't even attempt to run JavaScript. What personal information is this talking about? Is it "trackback" links that notify the document author that you've looked at their document? If so, the word "unsafe" is probably too strong, I'd call them "dubious" and stop there. In any case, this is basic functionality that users should not have to enable. In addition it's not easy to configure this. What am I, the user, supposed to put in it? I think it's unfair to expect the user to configure such minutae. Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Reiner Steib writes: > >> well, I'm a little mystified but that seems to have worked! I'm >> mystified because I checked the value of that variable too and according >> to the help it was already set to nil. > > Where? > > ,[ (info "(emacs-mime)Display Customization") ] > | `mm-w3m-safe-url-regexp' > | A regular expression that matches safe URL names, i.e. URLs that > | are unlikely to leak personal information when rendering HTML > | email (the default value is `\\`cid:'). If `nil' consider all > | URLs safe. > ` I used C-h v mm-w3m-safe-url-regexp RET. It said that current value was nil. > >> Strange, but I'm not complaining, just glad it works! > > Keep in mind that it is unsafe! > ...sure, but I can make that decision before clicking a link though, can't I? ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Wed, Jul 29 2009, Paul Mead wrote: > well, I'm a little mystified but that seems to have worked! I'm > mystified because I checked the value of that variable too and according > to the help it was already set to nil. Where? ,[ (info "(emacs-mime)Display Customization") ] | `mm-w3m-safe-url-regexp' | A regular expression that matches safe URL names, i.e. URLs that | are unlikely to leak personal information when rendering HTML | email (the default value is `\\`cid:'). If `nil' consider all | URLs safe. ` > Strange, but I'm not complaining, just glad it works! Keep in mind that it is unsafe! Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/ ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Ted Zlatanov writes: > > Can you try this? It's what I use. I think it overrides w3m-safe-url-regexp. > > (setq mm-w3m-safe-url-regexp nil) > > Ted Hi Ted well, I'm a little mystified but that seems to have worked! I'm mystified because I checked the value of that variable too and according to the help it was already set to nil. Strange, but I'm not complaining, just glad it works! Thanks for helping me out. Paul ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Tue, 28 Jul 2009 16:52:30 +0100 Paul Mead wrote: PM> Reiner Steib writes: >> Which Gnus version do you run with Emacs 22? (see the variable >> `gnus-version'). >> >> Bye, Reiner. PM> Hi, can I give this thread a bump? I still have the problem with having PM> to provide a prefix arg, even though the value of w3m-safe-url-regexp is PM> set to nil. Can you try this? It's what I use. I think it overrides w3m-safe-url-regexp. (setq mm-w3m-safe-url-regexp nil) Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Reiner Steib writes: > Which Gnus version do you run with Emacs 22? (see the variable > `gnus-version'). > > Bye, Reiner. Hi, can I give this thread a bump? I still have the problem with having to provide a prefix arg, even though the value of w3m-safe-url-regexp is set to nil. Any ideas? Thanks Paul ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Reiner Steib writes: > > Which Gnus version do you run with Emacs 22? (see the variable > `gnus-version'). > >> Hmm, come to think of it, my problem with stuck messages only happens on >> the v23 machine too... > > Bye, Reiner. Hi Reiner I've got Gnus v5.11 on emacs 22 and v5.13 on emacs 23. Thanks Paul ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Wed, 08 Jul 2009 21:17:15 +0200 Reiner Steib wrote: >> Ted Zlatanov writes: >>> David Engster wrote: DE> I know this message from emacs-w3m. Frobbing the variables DE> w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. >>> >>> The variable names are confusing, since they actually match unsafe >>> URLs. RS> Huh? Please elaborate. You have to set mm-w3m-safe-url-regexp to match unsafe things which will not be rendered; set it to nil and you get everything. What's "safe," the underlying algorithm or the data we're filtering out or the data we're keeping? Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Wed, Jul 08 2009, Paul Mead wrote: > Ted Zlatanov writes: >> David Engster wrote: >> DE> I know this message from emacs-w3m. Frobbing the variables >> DE> w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. >> >> The variable names are confusing, since they actually match unsafe >> URLs. Huh? Please elaborate. >> Maybe we should have mm-w3m-dangerous-url-regexp and in w3m, the >> corresponding w3m-dangerous-url-regexp? >> >> Ted > I've been having trouble with this since upgrading to emacs v23. I'm > sharing exactly the same config on v22 and urls open without complaint. Which Gnus version do you run with Emacs 22? (see the variable `gnus-version'). > Hmm, come to think of it, my problem with stuck messages only happens on > the v23 machine too... Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/ ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Ted Zlatanov writes: > On Thu, 28 May 2009 21:48:14 +0200 David Engster > wrote: > > DE> Reiner Steib writes: >>> On Thu, May 28 2009, Stefan Hübner wrote: >>> whenever I'm trying to browse URLs found in articles, Gnus complains "This link is considered unsafe...". I couldn't find any hints about this feature and how to turn it off. >>> >>> That is because it is not Gnus that complains - at least I never heard >>> of this and I couldn't find this string in the Gnus sources (nor in >>> Emacs). > > DE> I know this message from emacs-w3m. Frobbing the variables > DE> w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. > > The variable names are confusing, since they actually match unsafe > URLs. Maybe we should have mm-w3m-dangerous-url-regexp and in w3m, the > corresponding w3m-dangerous-url-regexp? > > Ted I've been having trouble with this since upgrading to emacs v23. I'm sharing exactly the same config on v22 and urls open without complaint. Hmm, come to think of it, my problem with stuck messages only happens on the v23 machine too... Paul ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Thu, 28 May 2009 21:48:14 +0200 David Engster wrote: DE> Reiner Steib writes: >> On Thu, May 28 2009, Stefan Hübner wrote: >> >>> whenever I'm trying to browse URLs found in articles, Gnus complains >>> "This link is considered unsafe...". I couldn't find any hints about >>> this feature and how to turn it off. >> >> That is because it is not Gnus that complains - at least I never heard >> of this and I couldn't find this string in the Gnus sources (nor in >> Emacs). DE> I know this message from emacs-w3m. Frobbing the variables DE> w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. The variable names are confusing, since they actually match unsafe URLs. Maybe we should have mm-w3m-dangerous-url-regexp and in w3m, the corresponding w3m-dangerous-url-regexp? Ted ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
David Engster writes: > Reiner Steib writes: >> On Thu, May 28 2009, Stefan Hübner wrote: >> >>> whenever I'm trying to browse URLs found in articles, Gnus complains >>> "This link is considered unsafe...". I couldn't find any hints about >>> this feature and how to turn it off. >> >> That is because it is not Gnus that complains - at least I never heard >> of this and I couldn't find this string in the Gnus sources (nor in >> Emacs). > > I know this message from emacs-w3m. Frobbing the variables > w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. thanks for your hints! -Stefan ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Richard Riley writes: > Reiner Steib writes: > >> On Thu, May 28 2009, Stefan Hübner wrote: >> >>> whenever I'm trying to browse URLs found in articles, Gnus complains >>> "This link is considered unsafe...". I couldn't find any hints about >>> this feature and how to turn it off. >> >> That is because it is not Gnus that complains - at least I never heard >> of this and I couldn't find this string in the Gnus sources (nor in >> Emacs). >> >>> Can anybody help me with a pointer to some documentation or other >>> resource? >> >> Does it happen with HTML or text mails. >> >> Bye, Reiner. > > It's w3m that complains I think. Yes, you're right. I'm using w3m - forgot to mention, sorry. > Try > > `mm-w3m-safe-url-regexp Thanks! -Stefan ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Reiner Steib writes: > On Thu, May 28 2009, Stefan Hübner wrote: > >> whenever I'm trying to browse URLs found in articles, Gnus complains >> "This link is considered unsafe...". I couldn't find any hints about >> this feature and how to turn it off. > > That is because it is not Gnus that complains - at least I never heard > of this and I couldn't find this string in the Gnus sources (nor in > Emacs). I know this message from emacs-w3m. Frobbing the variables w3m-safe-url-regexp and mm-w3m-safe-url-regexp should help. -David ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
Reiner Steib writes: > On Thu, May 28 2009, Stefan Hübner wrote: > >> whenever I'm trying to browse URLs found in articles, Gnus complains >> "This link is considered unsafe...". I couldn't find any hints about >> this feature and how to turn it off. > > That is because it is not Gnus that complains - at least I never heard > of this and I couldn't find this string in the Gnus sources (nor in > Emacs). > >> Can anybody help me with a pointer to some documentation or other >> resource? > > Does it happen with HTML or text mails. > > Bye, Reiner. It's w3m that complains I think. Try `mm-w3m-safe-url-regexp ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Link considered unsafe
On Thu, May 28 2009, Stefan Hübner wrote: > whenever I'm trying to browse URLs found in articles, Gnus complains > "This link is considered unsafe...". I couldn't find any hints about > this feature and how to turn it off. That is because it is not Gnus that complains - at least I never heard of this and I couldn't find this string in the Gnus sources (nor in Emacs). > Can anybody help me with a pointer to some documentation or other > resource? Does it happen with HTML or text mails. Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/ ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
Link considered unsafe
Hi all, whenever I'm trying to browse URLs found in articles, Gnus complains "This link is considered unsafe...". I couldn't find any hints about this feature and how to turn it off. Can anybody help me with a pointer to some documentation or other resource? Thanks, Stefan ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english