On Mon, 2011-09-12 at 00:40 -0600, Vibha Yadav wrote: 
> I have following list of files to be blacklisted:

I know we discussed this already, but just to clarify for others: the
blacklist only applies to "attach" parameters in mailto: URLs.  You can
still attach any file manually in the composer window.

I think instead of the blacklist consisting entirely of individual file
names, which we'll constantly have to amend, you can eliminate most of
these and be pretty darn future-proof by applying the following rules:

  - No hidden files (e.g. ".foo").

  - No files in hidden directories (e.g. ".secret/foo").

  - No files under /etc.

  - No files with ".." as a path component.

That leaves only a few individual files in the blacklist, which we can
amend as needed.

When eliminating a file attachment in a mailto: URL, print a message to
the terminal stating so -- "suspicious attachment $FILENAME was removed
for security" -- or something thereabouts.

evolution-hackers mailing list
To change your list options or unsubscribe, visit ...

Reply via email to