Secure usage of Sup

Gaute Hope edited this page Oct 30, 2013 · 4 revisions
Clone this wiki locally

We are not aware of anyone having had their Sup exploited yet, but there are some important concerns that you need to think about when setting up Sup or writing custom hooks.

Security bulletins



When a sender attaches a file the content_type and filename metadata are controlled by the sender. This metadata is used when opening or decoding an attachment. It is important that you do not use these fields uncritical when you include them in a command that will be executed (e.g. opening an attachment or decoding a HTML attachment using w3m). Please see Viewing-Attachments for details.