On Tue, 26 Mar 2013 15:25:30 +0000 Matthew Toseland wrote: > This page gives some Freemail bugs related to running a mailing list.
The header issue that is mentioned should be fixed by allowing a few more headers through the filter. I'm guessing the most important one here is reply-to since using reply all is mentioned, but the other list headers should also be safe (more details below). I'm not sure how to handle the **SPOOFED** issue properly. For now the easiest thing might be to not check the From header if the sending identity has been whitelisted by the user. Not a very user friendly solution, but the only one I can think of right now (except dropping the check completely). I'm fairly busy at university at the moment, so I can't really promise anything, but the header filtering is simple enough that I can probably get it done in between other stuff. I really should release a new version anyway, so maybe this is a nice reason to get it done :) The list related headers I've found so far: Reply-To: Should be filtered to only allow Freemail addresses to guard against configuration mishaps leaking the id of the mailing list operator. Ideally we would also check this on the recipient side to make sure email clients can't be tricked into replying outside Freenet. List-ID: We can't really do anything about the list name, but the id should probably be something like name.<list address domain>.freemail. Again the biggest problem is a list configured in a way that leaks the owners id. List-Archive List-Help List-Owner List-Post List-Subscribe List-Unsubscribe: Putting http links here won't really work reliably I guess since people don't need to have their node at 127.0.0.1:8888, but mailto links that point to Freemail addresses can at least be allowed through.
signature.asc
Description: PGP signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
