From alec@alec.pl Wed Apr 1 04:42:11 2009 From: "A.L.E.C" To: dev@lists.roundcube.net Subject: [RCD] http://trac.roundcube.net/ticket/1485789 Date: Wed, 01 Apr 2009 13:40:05 +0200 Message-ID: <49D35295.50903@alec.pl> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4882129202923737526==" --===============4882129202923737526== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Is there any (security?) reason to not allow links with any protocol in href attribute (washtml.php)? -- Aleksander 'A.L.E.C' Machniak http://alec.pl gg:2275252 LAN Management System Developer http://lms.org.pl Roundcube Webmail Project Developer http://roundcube.net _______________________________________________ List info: http://lists.roundcube.net/dev/ --===============4882129202923737526==-- From roundcube@gmail.com Wed Apr 1 05:07:54 2009 From: Thomas Bruederli To: dev@lists.roundcube.net Subject: Re: [RCD] http://trac.roundcube.net/ticket/1485789 Date: Wed, 01 Apr 2009 14:07:45 +0200 Message-ID: <793f54f40904010507mf2b9749rd97de6320b8b65fa@mail.gmail.com> In-Reply-To: <49D35295.50903@alec.pl> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5544046503834116249==" --===============5544046503834116249== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit 2009/4/1 A.L.E.C : > Is there any (security?) reason to not allow links with any protocol in > href attribute (washtml.php)? This question should be asked to the original author of washtml. In general I'd be conservative when it comes to html cleaning. We may expand the list of allowed protocols but on the basis of a white list. Protocols like file:// or others that invoke external apps are IMO dangerous and should not be linked directly. Just my 2 cents... ~Thomas _______________________________________________ List info: http://lists.roundcube.net/dev/ --===============5544046503834116249==-- From alec@alec.pl Thu Apr 2 10:54:51 2009 From: "A.L.E.C" To: dev@lists.roundcube.net Subject: Re: [RCD] http://trac.roundcube.net/ticket/1485789 Date: Thu, 02 Apr 2009 19:54:36 +0200 Message-ID: <49D4FBDC.5050801@alec.pl> In-Reply-To: <793f54f40904010507mf2b9749rd97de6320b8b65fa@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6601286178264331992==" --===============6601286178264331992== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Thomas Bruederli wrote: > This question should be asked to the original author of washtml. In > general I'd be conservative when it comes to html cleaning. We may > expand the list of allowed protocols but on the basis of a white list. > > Protocols like file:// or others that invoke external apps are IMO > dangerous and should not be linked directly. > > Just my 2 cents... Ok, I can agree with you, but there's a related issue with html to text conversion. If you send html message with , the text part contains "http://mymail.domain.com/file://aaa" link on the list. If we're removing file's links in washtml, we should do the same in to text conversion. It's just not coherent. -- Aleksander 'A.L.E.C' Machniak http://alec.pl gg:2275252 LAN Management System Developer http://lms.org.pl Roundcube Webmail Developer http://roundcube.net _______________________________________________ List info: http://lists.roundcube.net/dev/ --===============6601286178264331992==--