[Mailman-Users] Emergency mail to everyone?
t.d.lee at durham.ac.uk
Wed Jan 17 17:55:19 CET 2007
On Wed, 17 Jan 2007, Mark Sapiro wrote:
> Paul Tomblin wrote:
> >You mean that if people used the Approve: header that Mailman doesn't
> >strip it out before it sends it? That seems like a huge security hole.
> No I don't mean that. It is removed whether or not the password is
> valid. When I said "This is intentional to discourage sending the site
> password in the clear in email." I meant in the email TO the list. The
> header won't be in the mail FROM the list.
A slight caution there.
If the inbound email contains not only the plain text message but also its
equivalent in HTML
and if the "Approved:" is specified as the first line of the body rather
than as a header
the password is in danger of leaking outbound, being stripped only from
the plain version but not from the HTML version where it could persist.
For lists on which body-based "Approved" and HTML-ising senders are
likely, it is worth investigating the "collapse_alternatives" and
(I'm willing to be corrected on any of that!)
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: Durham University :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :
More information about the Mailman-Users