Scripsit Don Armstrong <[EMAIL PROTECTED]> > On Wed, 17 May 2006, Henning Makholm wrote:
>> How does sending directly to from reportbug to an ISP's smarthost >> validate the user's email address better than sending directly from >> reportbug to a HTTP POST somewhere? > I'm talking about an HTTP access method in general; if it were to be > done, I'd expect that it validate the users email address before > actually forwarding bug reports from the user. Why don't you have the same expectation about SMTP access methods? >> It is not necessary that there is anywhere any HTML form that refers >> to the posting URL; only reportbug would need to know it. > Except for the fact that anyone can create a page which posts to that > url. ... with a big large text box in which a user is supposed to manually format some text that can be parsed properly by the unknown backend script? If anybody _really_ wanted to fake a bug report with a wrong user, it is much simpler to use an off-the-shelf MUA than to try to reverse-engineer the data format used by a the private reportbug HTTP application. -- Henning Makholm "Det er trolddom og terror og jeg får en værre ballade når jeg kommer hjem!" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]