User: Password:
|
|
Subscribe / Log in / New account

Trusting user-supplied data...

Trusting user-supplied data...

Posted Apr 30, 2014 17:21 UTC (Wed) by dskoll (subscriber, #1630)
In reply to: Trusting user-supplied data... by tzafrir
Parent article: A preview of HyperKitty's reimagined mailing list interface

Yes, but unless I'm missing something, HyperKitty does assume Message-IDs are unique.

The safest way to have stable URLs is to generate a random string, concatenate a sequence number, and put the result in an X-Archive-Id: header in the message and store the message with that header in the archive (and include the header in all remailed copies.)

That way, the archive identifier is completely under the control of the mailing list software and not the message originator.

The downside is you can't auto-generate links based on the References: or In-Reply-To: header, but you could map Message-IDs to archive IDs. If you see a given Message-ID more than once, you treat it as contaminated and don't use it to generate links... this minimizes what an attacker can do.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds