On 2013-04-23 19:13:54 -0500, Derek Martin wrote: > On Tue, Apr 23, 2013 at 11:58:05PM +0200, Vincent Lefevre wrote: > > If the goal is to create a temporary file to view an attachment, the > > contents of the attachment (and/or the mail itself) can be used as a > > source of random data. I suppose that the attacker isn't the one who > > sent the mail in question and the mailbox isn't public. > > You can't suppose that. :) The message may very well be one that > was sent by the attacker, specifically to get the user to fall into > his trap.
If the attacker doesn't want the user to read his attachments, I don't see the point of sending him a mail in the first place. :) > > More generally, if a mailbox is open and non-empty, this is a source > > of random data too... > > If the user is not careful to protect the mail store with restrictive > permissions, an attacker may very well already have the contents of > the file. This presupposes that the user is ignorant or unconcerned > about security issues; but many of them are. This could inform the user that his mail is not protected, which is a much more important problem than not being able to read attachments. > Additionally, in either case, if only plain text is involved, then the > resulting randomness is quite poor; as natural language tends to fall > into very recognizable patterns, there's not enough entropy. I disagree. For instance, you can compute the MD5, SHA1 or another cryptographic hash of the headers and I doubt this can be guessed! > There's also the question of how you will use the data once you read > it from the file; for instance simply using what you read may expose > the contents to anyone who has access to the directory where the temp > file will be written. The purpose of a cryptographic hash is to be unable to retrieve the contents, even partially. > Again, the subdirectory approach eliminates this particular issue. Yes, but either the user needs to create one, or you need a function like mkdtemp, which is POSIX.1-2008, but may not be available on some systems. Or you can decide that temporary files could be stored under ~/.cache/mutt by default (configurable in the .muttrc). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
