[dev] Re: [cvs] commit: imp/lib/MIME/Viewer tnef.php

Michael M Slusarz slusarz@bigworm.colorado.edu
Mon, 3 Jun 2002 20:56:22 -0600

Previous message: [dev] Re: [cvs] commit: imp/config mime_drivers.php.dist imp/docs CHANGES imp/lib/MIME/Viewer tnef.php
Next message: [dev] Re: [cvs] commit: imp/lib/MIME/Viewer tnef.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Chuck Hagenbuch <chuck@horde.org>:

| chuck       2002/06/03 19:06:30 PDT
| 
|   Modified files:
|     lib/MIME/Viewer      tnef.php 
|   Log:
|   remove a gaping security hole. Can someone explain what this was
|   supposed to do?
|   
|   Revision  Changes    Path
|   1.2       +21 -31    imp/lib/MIME/Viewer/tnef.php

Wow.  My bad.  This is called losing the forest for the trees.  I was 
actually going to implement this very differently - and safely - but 
instead coded it in a bonehead way.  I see this is exactly why we have the 
CVS list.

But... this functionality is needed.  The offending code was what actually 
displayed the attachments.  The current code will simply list the 
attachments that occur inside of a TNEF attachment - of very limited 
usefulness.  The security hole part is what actually returns the data to 
the user.  Instead of passing the filename back to the MIME Viewer, I will 
instead pass the position of the file in the TNEF attachment - this should 
circumvent any security issues.

michael

______________________________________________
Michael Slusarz [slusarz@bigworm.colorado.edu]
The University of Colorado at Boulder

Previous message: [dev] Re: [cvs] commit: imp/config mime_drivers.php.dist imp/docs CHANGES imp/lib/MIME/Viewer tnef.php
Next message: [dev] Re: [cvs] commit: imp/lib/MIME/Viewer tnef.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]