Re: [Nmh-workers] I need help reading the mhstore man page

From: Ken Hornstein
Subject: Re: [Nmh-workers] I need help reading the mhstore man page
Date: Fri, 28 Feb 2014 11:21:18 -0500

>The man page for mhstore recommends that, for the sake of security, I not put
>the -auto switch in .mh_profile. Whatever the security risk is, would it not
>also be present if I invoke mhstore with that switch? But the man page does
>not seem to recommend against that.

-auto uses the filename that may be present in the MIME headers as the
filename of the output file.  So, for example, if I were to send you a
file named ".cshrc" (or .profile ... you get the idea), it could cause
an issue if you didn't notice what it was doing.  Looking at it more
closely ... you know, I think -clobber always is a terrible default.

I combine -auto with nmh-storage: /tmp.  I think that's reasonable.


