[Mimedefang] Minor web attachment privacy problem.

[Jeffrey Goldberg]

There is a minor privacy vulnerability (in special cases) with

  action_replaced_with_url()

I don't use the feature so it isn't a concern for me, I merely noticed
this when reading the man page.

Suppose A sends a particular large attachment to B, and it gets saved
using that mechanism.

Now suppose that E is aware of the attachment, but suspects that A may
have sent it to B.  E can construct the SHA hash of the document and check
to see if the document has been saved on the website where such an
attachment sent form A to B would be saved.

E can conclude that someone at A's site sent the document (or that someone
at B's site was an intended recipient).

So while it is true that the contents of a document could never be
revealed to someone who doesn't already know it, the fact of sending it
could be discovered.

Solution:  Instead of taking the SHA hash of the document itself, take the
SHA hash of the document concatenated with some secret (but constant)
server key.

Again, the circumstances in which this could be an issue are rare, but
there is that potential privacy leak, and it is easy enough to fix.

-j

-- 
Jeffrey Goldberg                            http://www.goldmark.org/jeff/
 Relativism is the triumph of authority over truth, convention over justice
 Hate spam?  Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/