[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nmh-workers] external-body and mail-server access type

From: Ken Hornstein
Subject: [Nmh-workers] external-body and mail-server access type
Date: Mon, 10 Feb 2014 15:04:43 -0500

You know, I'm not even sure why I care about this, since I doubt anyone
still USES these things, but what the hell ...

I was working on some stuff today, and I noticed some weird stuff in the
handling of message/external body (see RFC 2046 for more information).
Specifically, in the mail-server access type.

The way this would work was that the external-body type would contain
a message body to send to a specified email address, and presumably later
you'd get the requested content back.

However, it looks like there was some escaping you could put in the
mail body.  In other words, you'd get a MIME message from someone with
an external-body type, and the "body" of the message you were supposed to
send could contain escapes.  Specifically, you could put stuff like \n
for '\n', \t for '\t', and that's sort of obvious.  But you could also
do things like \I for the Content-ID, \N for a "name" parameter, and
\T for all of the MIME parameters.

This was never specified in any RFC.  It looks like this was added to MH
back in 1993.  The relevant RCS logs for these changes are:

revision 2.35
date: 1993/10/26 22:17:44;  author: jromine;  state: Exp;  lines: +113 -33
change to re-sync with mtr's version
revision 2.34
date: 1993/10/26 20:15:00;  author: jromine;  state: Exp;  lines: +59 -11
fixes from mtr -- content-id?

Which is ... not illuminating?  Okay, mtr is Marshall T. Rose, even I
know that.  But it doesn't really explain what's going on.  It looks like
Marshall Rose added some stuff and we don't really know why.  Also ...
Marshall Rose is apparently married to Candage Bergen?  Hm, seems to
be a different Marshall Rose.  Moving on ...

This begs a larger question ... should we even retain support for
mail-server anymore?  I mean, I don't think any other MUA's support it.
It seems like external-body support actually isn't that common (although
I believe from testing a fair number support the URL access-type).
It just seems like a potential security nightmare, aside from this
unspecified, undocumented escaping in the message body :-/


reply via email to

[Prev in Thread] Current Thread [Next in Thread]