[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs
From: |
Ralph Corderoy |
Subject: |
Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs |
Date: |
Sun, 27 May 2018 11:29:09 +0100 |
Hi Anthony,
> - It leaks the IP address of my mail client simply by reading an
> email.
IIRC that was the motivation for me trying it; how many distinct IP
addresses hit the URL. Related to your point, I could know the
recipient viewed the email three times a couple of days ago, once from
somewhere he denies going, the rake, yet still hasn't replied.
> - Curl's user agent contains a version number (could allow OS
> identification, or targeting of vulnerable curl versions).
curl(1) has `-A' to set the user agent. Perhaps mhn-defaults should
plonk nmh in there with an escape for a version? Your point still
applies.
curl also offers cookie jars though I don't know if they're used by
default with mhn.default's simple invocation, but perhaps the `.curlrc'
loaded by default as we don't give `-q' might. This means the URL can
benefit from their values.
> - Fetching http content is subject to man-in-the-middle attacks.
Third-party services like httpbin.org offer URLs that delay before
serving, slowing down mail viewing.
Small emails that get under fetchmail's `-l' limit may still cause high
usage of network budget.
> - It can be used to poke intranets (http://192.168.x.y/admin.php?...)
Yes, though any output would be seen. GETing Internet URLs may also
have a side effect. `Vote for me!'.
This telnet-schema URL doesn't work because curl's stdin isn't
/dev/null, but the TTY. And the dict-schema one can't use `DEFINE
jargon recursion' as the path because nmh strips whitespace from `url',
the comment referring to RFC 2017.
- <telnet://time-b.timefreq.bldrdoc.gov:13/>
-
- <dict://dict.org/HELP>
-
- <file:///etc/passwd>
-
curl(1) supports quite a few other schemas, though libcurl is compiled
without some of them here. SFTP supports lots of file manipulation
commands, but again the whitespace removal is a hindrance.
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, (continued)
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Bob Carragher, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Anthony J. Bentley, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs,
Ralph Corderoy <=
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Michael Richardson, 2018/05/27
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ken Hornstein, 2018/05/25
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Jon Fairbairn, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Ralph Corderoy, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, David Levine, 2018/05/26
- Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs, Bob Carragher, 2018/05/26