[Mailman-Users] access scrubbed attachments of private lists without password?
Steffen Kaiser
vm3112870680488272v at vmail.inf.h-brs.de
Fri Jul 22 16:23:11 CEST 2011
On Thu, 21 Jul 2011, Mark Sapiro wrote:
>On 7/20/2011 1:53 AM, Steffen Kaiser wrote:
>>
>> is it possible to access scrubbed attachments of private lists without a
>> password?
>
>
>No. Scrubbed attachments are stored in the list's archive file hierarchy
>and have to be accessed as anything else in the list's archives. If the
>archive is private, this requires a password.
>
>Also, in general, it seems to me that if a list's archives are private,
>it would not be a good idea to make attachments to list posts publicly
>accessible.
That depends on the view :-)
MIMEDefang (www.mimedefang.org) has a feature to replace attachments with
links. The URLs are using a SHA1-based hash of the content of the file.
The idea is: if someone gained access to the message, s/he would have
access to the attachment, if it had not been removed. The URL is obscured
in such a way, that one would need the content of the file to guess the
URL to it. No need to protect the attachment any further.
Or one could think of the SHA1-based URL as the password to the file.
Such URL could look like:
https://example.com/mailman/private/list/attachments/20110719/5d9da8c3/sha1hash.pdf
or one uses: sha1hash/sanitisedFilename.pdf
or something like that.
Of course, I do not know how the Mailman password stuff works in detail,
so one could place appropriate links into https://host/pipermail/list/ or
yet another base path.
Kind regards,
--
Steffen Kaiser
More information about the Mailman-Users
mailing list