Hi Jeffrey Thanks a lot for your fast answer!!
On Thu, 2003-08-14 at 20:46, Jeffrey Stedfast wrote: > On Thu, 2003-08-14 at 14:13, Andreas W�st wrote: > > Hi > > > > Am I right that evolution doesn't seem to do no better than outlook when > > it comes to inlined data? > > > > If you get an email sporting a line like > > > > <img src="cid:blablabla";> > > > > and attached you get a file with a > > > > Content-ID: blablabla > > > > string, evolution tries to to display this stuff inline, no? > > yes and no... > > > > > And since most of these attachements are virus today, the user is no > > better off than an outlook user?! > > > > Please correct me, if this isn't so! But, e.g. what happens, when you > > receive an email with an attachment blabla.scr, and the mime type is > > audio/wav, an this file is inlined by the above tag, then evolution > > tries to view (play) it (of course it's not a wav file, just look at the > > file suffix, it's just some viral code)? > > well, since the attachment won't be able to load as an image file, > nothing will happen. you'll get an iframe box or something with nothing > in it. Uhhm, yes, I just got the Header, and then nothing (or a small black point). The mail consisted only of the iframe stuff (and the attachement). > > There is obviously no button which you could press to view the > > attachement, since it's getting viewed inline. Is there any way to > > prevent evolution from doing so? > > evolution will ONLY display stuff inline if it: > > 1. has a builtin handler (which is basically limited to image handlers > and vcard/ical stuff - ie stuff that is "safe". as with all things, it's > possible that the data may cause gtk's image loading code to crash or > evo's addressbook/calendar control code to crash...) Well, I guess it's not a that big problem it it crashes. As long as there's no vulnerability in the image loading code, it's ok. But, what happens if the attachement is of mime type image/jpeg and there's not a jpeg in but a virus? Will evolution just fail to load the image and let the user know by a requester, or will there just be a blank space? > 2. or if you: > a) have a bonobo control capable of handling the specified mime type > > and > > b) configured your MIME-types & Applications control centre crapplet > to use this bonobo control for viewing these types Hmm, obviously seems to be the case. > and > > c) EXPLICTLY allow Evolution to use bonobo-controls of for this > mime-type (which is only configurable via gconf - there is no UI for > this so you have to be a bit of a hacker to find/set it in the first > place) Well, you never know what your friendly package maintainer does ;) Which file of the gconf database should I check? But there is still the question what happens if the player or viewer gets called, but the file to view or play is not a correct file? > So as far as I'm aware, Evolution is a LOT safer than Outlook in this > reguard. If you find logic mistakes in our reasoning, please let us > know. No, there are no logic mistakes, but some minor steps to check (vulnerability of viewer code, feedback to user if something was tried to display but failed, ..). But I would still prefere a global option to stop evolution displaying anything but text, or to turn off html rendering at all (no, not the show email source option). -- Sorry if I sound a bit picky, I just want to use a highly secure email client (paired with a lot of comfort). Best wishes, Andi _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
