Stripping multipart/alternative HTML parts instead of rejecting

Stripping multipart/alternative HTML parts instead of rejecting

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 421 bytes --]

Hi, all:

We've started adding other kernel-related mailing lists to 
lore.kernel.org, not all of them mailed via vger. This raised the issue 
of html-alternative parts, which are allowed by other mailing list 
providers that are using mailman. Such messages are currently rejected 
outright by public-inbox, but I'm wondering if that is perhaps too 
strict when there are plaintext parts available?

Best,
-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Stripping multipart/alternative HTML parts instead of rejecting

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hi, all:
> 
> We've started adding other kernel-related mailing lists to lore.kernel.org,
> not all of them mailed via vger. This raised the issue of html-alternative
> parts, which are allowed by other mailing list providers that are using
> mailman. Such messages are currently rejected outright by public-inbox, but
> I'm wondering if that is perhaps too strict when there are plaintext parts
> available?

I tried scrubbing undesirable parts when the project started,
but it caused signature failures when replaying to mlmmj
subscribers, so I started rejecting those mails instead.

For pure mirrors, there is "filter = PublicInbox::Filter::Mirror"
which doesn't do any modifications at all:

[publicinbox "foo"]
        filter = PublicInbox::Filter::Mirror
	...

I mainly use it with -watch, but it should work with -mda (if
PublicInbox::Filter::Vger does).

But it should work better for NNTP readers who want to check
GPG and DKIM sigs on the original message with HTML.

Re: Stripping multipart/alternative HTML parts instead of rejecting

[Konstantin Ryabitsev]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

On Wed, Sep 26, 2018 at 07:47:05PM +0000, Eric Wong wrote:
>I tried scrubbing undesirable parts when the project started,
>but it caused signature failures when replaying to mlmmj
>subscribers, so I started rejecting those mails instead.
>
>For pure mirrors, there is "filter = PublicInbox::Filter::Mirror"
>which doesn't do any modifications at all:
>
>[publicinbox "foo"]
>        filter = PublicInbox::Filter::Mirror
>	...

Thanks, Eric, I'll poke at that.

>I mainly use it with -watch, but it should work with -mda (if
>PublicInbox::Filter::Vger does).
>
>But it should work better for NNTP readers who want to check
>GPG and DKIM sigs on the original message with HTML.

How do messages with a HTML part get displayed in the web view? Does it 
get offered as a download, or ignored completely?

-K

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Stripping multipart/alternative HTML parts instead of rejecting

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> How do messages with a HTML part get displayed in the web view? Does it get
> offered as a download, or ignored completely?

Offered as a text/plain so viewable and downloadable, but not rendered
by the browser as HTML (because of HTML/JS/CSS injection attacks)

Recent example here:
https://public-inbox.org/sox-users/5baaded3.1c69fb81.1ab9.5c49@mx.google.com/

Re: Stripping multipart/alternative HTML parts instead of rejecting

[Konstantin Ryabitsev]

On Wed, Sep 26, 2018 at 10:42:00PM +0000, Eric Wong wrote:
> Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> > How do messages with a HTML part get displayed in the web view? Does it get
> > offered as a download, or ignored completely?
> 
> Offered as a text/plain so viewable and downloadable, but not rendered
> by the browser as HTML (because of HTML/JS/CSS injection attacks)
> 
> Recent example here:
> https://public-inbox.org/sox-users/5baaded3.1c69fb81.1ab9.5c49@mx.google.com/

This is what I was looking for, thanks!

-K