[Mimedefang] javascript in html attachments
Paul Whittney
pwhittney at net.bacconsulting.com
Fri Mar 5 15:11:45 EST 2004
On Fri, Mar 05, 2004 at 02:08:58PM -0500, David F. Skoll wrote:
> > I'm also concerned that this will escalate into "Block all htm/html
> > files",
>
> And why would that be a problem?
>
> HTML is bad enough. If you allow your mail clients to run
> JavaScript, then server-side mail filters would need a JavaScript
> interpreter to do a proper job of analysing the mail. And the security
> implications of that are too horrendous to contemplate.
I don't have the "Authority" to tell the client what they should, and should
not use (thats a problem in itself ;-). I assume then many people add to the
bad extensions list
$bad_exts = ... |htm|html|...;
(or is it best as |htm[l]*| ??)
I'm not sure I have the authority to block all html attachments, as people
prefer sending them than docs and zips.
(To be honest, I shouldn't block anything, but I risk blocking pif,
scr, and exe's).
But if you prohibit the sending of normal file attachments, zip files
(encrypted, or not), how do you advise your client/director/friends, to
send you that "new important file that will make your product work at a
client site because some update or system broke it in the first place"?
Has anyone had any problems dropping html attachments?
Should the extension list also include: .pl .tcl .tk?
(As outlook can have those connected to perl, and tcl/tk programs if
you run active perl)??
What about .tar .gz .tgz .rar?
I suppose it comes down to how much false positives you're prepared to
accept (or prepared to answer to when the director can't get that "oh
so important file" from his friend that turns out to be non work related)
I know I could justify a lot of extensions to block, but the user's aren't
always prepared (and I know, that's their problem) to change, compress, or
alter files.
I do want to say Thank You to all those people that have responded, its
helping a lot (I just need to look at the amount of mimedefang messages
I have to tell me that its a great help), and that these items I'm coming
up with are just little things.
Keep up the great work, people!!!
-Paul Whittney
More information about the MIMEDefang
mailing list