Fitzpatrick, Ted wrote: >Thanks, Mark. The MUA is including "application/octet-stream" as the >mime type. I didn't include this as passable because I wanted to strip >".exe" files from messages. It looks like if I want to enable >subscribers to attach PDF files, it will at the same time enable them to >attach EXE files. From the security perspective, do most Mailman admins >let EXE files pass?
You'll want to test all this to be sure, but there's already a default list of extensions in filter_filename_extensions which is 'exe', 'bat', 'cmd', 'com', 'pif', 'scr', 'vbs', 'cpl' which should block any 'named' attachments with those extensions. However, if you add 'application/octet-stream' to pass_mime_types and put 'pdf' and 'png' in pass_filename_extensions you should wind up accepting named with extension attachments with only .png and .pdf extensions. You will also accept an application/octet-stream attachment without an extension, but this may not be particularly risky, at least to those users with systems that identify a file type by extension. So no, it is not a good idea to allow .exe attachments on your list, but you can allow some application/octet-stream files and still not allow .exe files. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
