On Thu, 21 Jul 2011, Mark Sapiro wrote:
On 7/20/2011 1:53 AM, Steffen Kaiser wrote:
is it possible to access scrubbed attachments of private lists without a
password?
No. Scrubbed attachments are stored in the list's archive file hierarchy
and have to be accessed as anything else in the list's archives. If the
archive is private, this requires a password.
Also, in general, it seems to me that if a list's archives are private,
it would not be a good idea to make attachments to list posts publicly
accessible.
That depends on the view :-)
MIMEDefang (www.mimedefang.org) has a feature to replace attachments with
links. The URLs are using a SHA1-based hash of the content of the file.
The idea is: if someone gained access to the message, s/he would have
access to the attachment, if it had not been removed. The URL is obscured
in such a way, that one would need the content of the file to guess the
URL to it. No need to protect the attachment any further.
Or one could think of the SHA1-based URL as the password to the file.
Such URL could look like:
https://example.com/mailman/private/list/attachments/20110719/5d9da8c3/sha1hash.pdf
or one uses: sha1hash/sanitisedFilename.pdf
or something like that.
Of course, I do not know how the Mailman password stuff works in detail,
so one could place appropriate links into https://host/pipermail/list/ or
yet another base path.
Kind regards,
--
Steffen Kaiser
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org