for this access-type:
(1) SERVER -- The addr-spec of the mail server from which
the actual body data can be obtained. This parameter
is mandatory for the "mail-server" access-type.
(2) SUBJECT -- The subject that is to be used in the mail
that is sent to obtain the data. Note that keying mail
servers on Subject lines is NOT recommended, but such
mail servers are known to exist. This is an optional
parameter.
RFC 2046 Media Types November 1996
Because mail servers accept a variety of syntaxes, some of which is
multiline, the full command to be sent to a mail server is not
included as a parameter in the content-type header field. Instead,
it is provided as the "phantom body" when the media type is
"message/external-body" and the access-type is mail-server.
Note that MIME does not define a mail server syntax. Rather, it
allows the inclusion of arbitrary mail server commands in the phantom
body. Implementations must include the phantom body in the body of
the message it sends to the mail server address to retrieve the
relevant data.
Unlike other access-types, mail-server access is asynchronous and
will happen at an unpredictable time in the future. For this reason,
it is important that there be a mechanism by which the returned data
can be matched up with the original "message/external-body" entity.
MIME mail servers must use the same Content-ID field on the returned
message that was used in the original "message/external-body"
entities, to facilitate such matching.
5.2.3.6. External-Body Security Issues
"Message/external-body" entities give rise to two important security
issues:
(1) Accessing data via a "message/external-body" reference
effectively results in the message recipient performing
an operation that was specified by the message
originator. It is therefore possible for the message
originator to trick a recipient into doing something
they would not have done otherwise. For example, an
originator could specify a action that attempts
retrieval of material that the recipient is not
authorized to obtain, causing the recipient to
unwittingly violate some security policy. For this
reason, user agents capable of resolving external
references must always take steps to describe the
action they are to take to the recipient and ask for
explicit permisssion prior to performing it.
The 'mail-server' access-type is particularly
vulnerable, in that it causes the recipient to send a
new message whose contents are specified by the
original message's originator. Given the potential for
abuse, any such request messages that are constructed
should contain a clear indication that they were
generated automatically (e.g. in a Comments: header
field) in an attempt to resolve a MIME
RFC 2046 Media Types November 1996
"message/external-body" reference.
(2) MIME will sometimes be used in environments that
provide some guarantee of message integrity and
authenticity. If present, such guarantees may apply
only to the actual direct content of messages -- they
may or may not apply to data accessed through MIME's
"message/external-body" mechanism. In particular, it
may be possible to subvert certain access mechanisms
even when the messaging system itself is secure.
It should be noted that this problem exists either with
or without the availabilty of MIME mechanisms. A
casual reference to an FTP site containing a document
in the text of a secure message brings up similar
issues -- the only difference is that MIME provides for
automatic retrieval of such material, and users may
place unwarranted trust is such automatic retrieval
mechanisms.
5.2.3.7. Examples and Further Explanations
=21= |
