On 2005-08-24, David Gomillion wrote: > [EMAIL PROTECTED] wrote: > > I agree 100% with you, Sam. The only problem is that I have some less-savvy > users. > > Can we implement a feature that allows us to set a variable that determines > if the Display link even appears? From the original email, it looks like > they are asserting that using the Display link will allow arbitrary code to > run on the server, which is never a good thing. >
How should it be possible to run arbitrary code on the server ??? > It'd be really nice to be able to set it per mime type, but just hiding the > Display link for all attachment types would be good enough for my > installation. > I also agree. It would be a reasonable feature to deactivate the display function. It should also be possible to "logout" before viewing the attachment in order to prevent cross site scripting like when clicking on links inside mails. But this involes a lot more work and does not eleminate all kinds of issues (i.e. with stupid users and unsecure browsers). -- Georg ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
