From 0275617c43a19ad4bc57c44a949a0e440c888b7a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 24 Jan 2015 13:26:43 +1900 Subject: [PATCH] Re: [PATCH] emacs: show: allow user to hide some mime types by default. --- 85/57ae472123c1ee347018bb7e378b8e1399a7bc | 76 +++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 85/57ae472123c1ee347018bb7e378b8e1399a7bc diff --git a/85/57ae472123c1ee347018bb7e378b8e1399a7bc b/85/57ae472123c1ee347018bb7e378b8e1399a7bc new file mode 100644 index 000000000..ef3c2a2e9 --- /dev/null +++ b/85/57ae472123c1ee347018bb7e378b8e1399a7bc @@ -0,0 +1,76 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id A301A431FC9 + for ; Fri, 23 Jan 2015 10:26:42 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 2.438 +X-Spam-Level: ** +X-Spam-Status: No, score=2.438 tagged_above=-999 required=5 + tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id 5g2P3d-CsXlb for ; + Fri, 23 Jan 2015 10:26:39 -0800 (PST) +Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) + by olra.theworths.org (Postfix) with ESMTP id 63E34431FBC + for ; Fri, 23 Jan 2015 10:26:39 -0800 (PST) +Received: from fifthhorseman.net (unknown [38.109.115.130]) + by che.mayfirst.org (Postfix) with ESMTPSA id 4BBF4F984 + for ; Fri, 23 Jan 2015 13:26:36 -0500 (EST) +Received: by fifthhorseman.net (Postfix, from userid 1000) + id 9531E2039E; Fri, 23 Jan 2015 13:26:43 -0500 (EST) +From: Daniel Kahn Gillmor +To: notmuch@notmuchmail.org +Subject: Re: [PATCH] emacs: show: allow user to hide some mime types + by default. +In-Reply-To: +References: <1421960852-26424-1-git-send-email-markwalters1009@gmail.com> + +User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 + (x86_64-pc-linux-gnu) +Date: Fri, 23 Jan 2015 13:26:43 -0500 +Message-ID: <87ppa5jqu4.fsf@alice.fifthhorseman.net> +MIME-Version: 1.0 +Content-Type: text/plain +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Fri, 23 Jan 2015 18:26:42 -0000 + +On Fri 2015-01-23 02:21:41 -0500, David Edmondson wrote: +> Whilst I think that having this knob is a good thing, I don't think that +> it's a solution to the 'text/html renderers access the network' +> problem. I can't sensibly (and don't wish to) disable the display of +> text/html parts by default (colleagues generate too many text/html +> messages to make that feasible, and I have rss2imap generate a bunch of +> text/html messages that I want to see in their full glory), but would +> definitely like to choose whether a message can sell me out to +> advertisers. +> +> I'm trying to say that this is good, but let's not get into the habit of +> telling someone that complains about network access that adding +> text/html to `notmuch-show-always-hide-types' is the solution. + +I agree with this sentiment. I had been grousing earlier (off-list) +about rendering html messages in general (i don't like exposing +arbitrary attacker-delivered content to a complicated parser where i can +avoid it), so i see Mark's patch as a useful tool to prevent that +problem, not about remote network access during render. + +preventing network access from html-rendered messages is better handled +in a workaround by (gnus-blocked-images "."), though notmuch should +enforce this setting by default when rendering html parts. + + --dkg -- 2.26.2