Hi Anthony,

> - It leaks the IP address of my mail client simply by reading an
> email.

IIRC that was the motivation for me trying it;  how many distinct IP
addresses hit the URL.  Related to your point, I could know the
recipient viewed the email three times a couple of days ago, once from
somewhere he denies going, the rake, yet still hasn't replied.

> - Curl's user agent contains a version number (could allow OS
>   identification, or targeting of vulnerable curl versions).

curl(1) has `-A' to set the user agent.  Perhaps mhn-defaults should
plonk nmh in there with an escape for a version?  Your point still
applies.

curl also offers cookie jars though I don't know if they're used by
default with mhn.default's simple invocation, but perhaps the `.curlrc'
loaded by default as we don't give `-q' might.  This means the URL can
benefit from their values.

> - Fetching http content is subject to man-in-the-middle attacks.

Third-party services like httpbin.org offer URLs that delay before
serving, slowing down mail viewing.

Small emails that get under fetchmail's `-l' limit may still cause high
usage of network budget.

> - It can be used to poke intranets (http://192.168.x.y/admin.php?...)

Yes, though any output would be seen.  GETing Internet URLs may also
have a side effect.  `Vote for me!'.

This telnet-schema URL doesn't work because curl's stdin isn't
/dev/null, but the TTY.  And the dict-schema one can't use `DEFINE
jargon recursion' as the path because nmh strips whitespace from `url',
the comment referring to RFC 2017.
<telnet://time-b.timefreq.bldrdoc.gov:13/>
<dict://dict.org/HELP>
<file:///etc/passwd>
curl(1) supports quite a few other schemas, though libcurl is compiled
without some of them here.  SFTP supports lots of file manipulation
commands, but again the whitespace removal is a hindrance.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
-- 
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers

Reply via email to