Re: web interface to notmuch

Subject: Re: web interface to notmuch

Date: Thu, 19 Oct 2017 12:55:47 -0400

To: Brian Sniffen, Matthew Lear, notmuch@notmuchmail.org

Cc:

From: Daniel Kahn Gillmor

On Thu 2017-10-19 11:01:53 -0400, Brian Sniffen wrote:
> I put together something like this, visible at
> https://github.com/briansniffen/notmuch/tree/nmweb/contrib/notmuch-web
>
> It's not much of a service.  I am pretty sure it is exploitable---that
> content in text/html parts of messages can do Bad Things to your
> session.

I think this is the crux of the problem, right?  I was noticing the
other day that notmuch's own mail archives are published in pipermail,
which is *absolutely terrible* compared to dealing with a mailstore with
notmuch as a frontend.  I'd love to be able to expose the archive to the
public this way.

Assuming that you had a sanitize_this_html_part() function available to
you, do you think it would be possible to make this safe?  Have you
considered proposing it for inclusion in contrib upstream?

     --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: