Add PKG_DESTDIR_SUPPORT;
Add LICENSE
`$Cambridge: hermes/src/prayer/docs/DONE,v 1.66 2011/06/27 13:39:56 dpc22 Exp $
27/06/2010
==========
Release: Prayer 1.3.4
22/06/2011
==========
draft.c fixes:
Fold long lines of addresses before the entry which reaches 78 characters
when possible, rather than after the first entry which crosses that
boundary. Long standing bug bear of mine but several support functions
needed to be rewritten to use scratch string in place of output buffer.
Long subject lines which are not RFC1522 encoded need to be folded.
separately. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
RFC1522 is not allowed to fold lines in the middle of a UTF-8 multibyte
character. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
Tidy library:
Add support for tidyp fork of (apparently abandoned) tidy library.
Fix cross site scripting problem:
MSIE and Chrome think that <!---> is a complete comment. Allows people to
hide scripts inside <!---><script>...<!--->. Strip all comments (which is
something that the old sanitiser had been doing already)
Sieve blocks should check "From: " address in body as well as
envelope sender address. Check "Sender: " as well for completeness.
Linux needs IPPROTO_IPV6 to bind to '0.0.0.0' and '::'
01/11/2010
==========
Mike Brudenell <mike.brudenell@york.ac.uk> reported problem with RFC
2183/RFC 2231 quoting with vey long filenames, or filenames with strange
characters from ASCII range.
20/07/2010
==========
Release: Prayer 1.3.3
08/07/2010
==========
Better handling of complex multipart messages:
Rather than just displaying the first text/plain or text/html that we can
find in the top, (leaving people to access sections for the other parts),
display the entire tree: multipart/alternative are handled as before, but
with other multipart messages, recurse into the subtrees and repeat. Given:
1 (Nested multipart)
1.1 text/html
1.2 text/plain
2 text/plain
we display sections 1.1 and 2. Previously we would display section 2,
which is a bit of a disaster if section (1) was the original message and
a listserver has helpfully tagged on a message footer as a separate bodypart
Combine os_*.c back into a single file (which is where I started off
many years back). Eliminates lots of repeated code.
07/07/2010
==========
Bugs
====
os_bind_inet_socket(unsigned long port, char *interface)
If interface resolves to multiple IP addresses then only binds to the
first. Should really walk along ai->ai_next and bind to each IP address
in turn. Unfortuanetly this means that os_bind_inet_socket() needs to
return an array of sockfds rather than a single int. Parent routines
probably aren't going to play ball either.
Most likely cause will be a hostname which generates both IPv4 and IPv6
addresses. Unfortanately it is a probably that we are going to have
to solve eventually.
05/07/2010
==========
Fix XSS problems reported by:
Jacob H. Hilton <jhh40@cam.ac.uk>
Dr Andrew C Aitchison <A.C.Aitchison@dpmms.cam.ac.uk>
Rather than trying to spot dangerous tags by simple substring matching in C,
I now feed the html through Tidy library (http://tidy.sourceforge.net/),
and then prune unwanted nodes from the parse tree before setting it to
the pretty printer. The only problem is that the Tidy library doesn't
provide any public API for manipulating the parse tree (although it does
provide a public API for walking the tree!?), so I had to dig around to
find the private functions required to remove and manipulate nodes.
Javascript embedded into CSS is also a problem: I need to strip off CSS
character entities before looking for dangerous expressions. The final
part is still a simple string match: I hope that I don't end up having to
generate parse trees for CSS as well as the HTML.
Now passes full test suite at:
https://secure.grepular.com/email_privacy_tester/
Better vacation screen
Subject line
Phrasing
Coping with multiple logins as single user from single browser:
SessionID stored in HTTP Cookie: second login blats first
Can store SessionID in URL (Prayer does this if no cookies available)
Not secure: leaks in HTTP "Referrer" header with links from HTML email.
Solution: Use HTTP Cookie keyed by PID of login session.
Smaller cleanups:
Improve gap between words in spell check (Cambridge house style)
Remove extra blank lines after postpone, restore cycle.
84bb8a032a