You know, I'm not even sure why I care about this, since I doubt anyone still USES these things, but what the hell ...
I was working on some stuff today, and I noticed some weird stuff in the handling of message/external body (see RFC 2046 for more information). Specifically, in the mail-server access type. The way this would work was that the external-body type would contain a message body to send to a specified email address, and presumably later you'd get the requested content back. However, it looks like there was some escaping you could put in the mail body. In other words, you'd get a MIME message from someone with an external-body type, and the "body" of the message you were supposed to send could contain escapes. Specifically, you could put stuff like \n for '\n', \t for '\t', and that's sort of obvious. But you could also do things like \I for the Content-ID, \N for a "name" parameter, and \T for all of the MIME parameters. This was never specified in any RFC. It looks like this was added to MH back in 1993. The relevant RCS logs for these changes are: ---------------------------- revision 2.35 date: 1993/10/26 22:17:44; author: jromine; state: Exp; lines: +113 -33 change to re-sync with mtr's version ---------------------------- revision 2.34 date: 1993/10/26 20:15:00; author: jromine; state: Exp; lines: +59 -11 fixes from mtr -- content-id? ---------------------------- Which is ... not illuminating? Okay, mtr is Marshall T. Rose, even I know that. But it doesn't really explain what's going on. It looks like Marshall Rose added some stuff and we don't really know why. Also ... Marshall Rose is apparently married to Candage Bergen? Hm, seems to be a different Marshall Rose. Moving on ... This begs a larger question ... should we even retain support for mail-server anymore? I mean, I don't think any other MUA's support it. It seems like external-body support actually isn't that common (although I believe from testing a fair number support the URL access-type). It just seems like a potential security nightmare, aside from this unspecified, undocumented escaping in the message body :-/ --Ken _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
