web interface to notmuch
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 19 09:55:47 PDT 2017
On Thu 2017-10-19 11:01:53 -0400, Brian Sniffen wrote:
> I put together something like this, visible at
> https://github.com/briansniffen/notmuch/tree/nmweb/contrib/notmuch-web
>
> It's not much of a service. I am pretty sure it is exploitable---that
> content in text/html parts of messages can do Bad Things to your
> session.
I think this is the crux of the problem, right? I was noticing the
other day that notmuch's own mail archives are published in pipermail,
which is *absolutely terrible* compared to dealing with a mailstore with
notmuch as a frontend. I'd love to be able to expose the archive to the
public this way.
Assuming that you had a sanitize_this_html_part() function available to
you, do you think it would be possible to make this safe? Have you
considered proposing it for inclusion in contrib upstream?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20171019/0f63ef9a/attachment.sig>
More information about the notmuch
mailing list