'Re: [SM-PLUGINS] New extrasecure plugin - feedback please'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-plugins
Subject:    Re: [SM-PLUGINS] New extrasecure plugin - feedback please
From:       "Tomas Kuliavas" <tokul () users ! sourceforge ! net>
Date:       2006-10-25 6:22:05
Message-ID: 52916.195.22.180.233.1161757325.squirrel () mail ! eik ! lt
[Download RAW message or body]

> Hello all,
>
> I've created a first attempt at my "extrasecure" plugin. What this does
> is to disable some functionality in SquirrelMail that has a higher
> potential of introducing security problems than others. Currently, it
> disables any HTML mail viewing and any inline attachment viewing.
>
> The idea is that in some environments it may be acceptable to sacrifice
> these features if this provides added (proactive) security against yet
> unknown bugs in e.g. SquirrelMail or web browsers.
>
> Unfortunately I needed a patch to accomplish it. Please take a look
> here:
> http://thijs.kinkhorst.nl/~thijs/extrasecure-0.1-1.5.x.tar.gz
>
> It's not completely finished yet. Feedback is welcome, especially on
> this:
> * Any ideas on accomplishing the same but without the patch? Or
>   with a reduced patch?
> * Why does the removal of the View as HTML link not work?
> * Do you think this is useful and are there any other things that
>   the plugin could do?

1. Unregister 'attachment *' hooks. html and images are no longer
displayed inline and only download option is available.

2. Run strip_tags() on $body in 'message_body' hook. html is removed.

3. hide 'html by default' and 'display images inline' options. Standard
option widgets. Plugins can control them.

4. unregister/conflict with view_as_html plugin.

-- 
Tomas

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
--
squirrelmail-plugins mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-plugins@lists.sourceforge.net
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.plugins
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=3931
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic