anomy-list

Re: Announcing sanitizer.pl, revision 1.54

From: 53149@xyz.molar.is
Date: Wed 18 Sep 2002 - 14:29:19 GMT

  • Next message: Wil McGilvery: "Procmail for dummies"

    I could not agree more with this response.
    For my part, I would only be interested in passing ftp:// http:// and
    https:// url's, with webbugs removed, and possibly dangerous http:// url's
    cleaned up.
    What about adding capability for a regular expression list, analagous to
    the "file_list_#" list in the sanitizer.cfg.
    Something like a url_policy_list.
    I can't think of doing anything, but defanging a url (you can't scan it,
    and it doesn't seem like a good idea to remove it), but this would give
    the flexability to let the admin choose what is acceptable. Also,
    specific types of url's could then be easily blocked without needing a
    patch later.
    One such example is http://######## url's. They include a hex format of
    an IP address, and are pretty much only used for obfuscating the location
    that the user is being taken to.
    Also, url's which include an @ sign can be used to obfuscate the real
    location.
    e.g.: http://www.paypal.com/login.cgi?this_means_nothing@IP_ADDRESS

    Attachments:
     + http://mailtools.anomy.net/archives/anomy-list//14/e3/3d888def/01.unnamed.html



    hosted by molar.is