diff options
author | Hiltjo Posthuma <hiltjo@codemadness.org> | 2019-05-06 21:17:19 +0200 |
---|---|---|
committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2019-05-06 21:17:19 +0200 |
commit | c0b063465aa2f86bbeda592f20c52dc303b265bd (patch) | |
tree | 506f18a722d56837820ec58fe200f66d82085596 /README | |
parent | b3c6fbcf0acfb0c0799fe3397cbae6e31be68008 (diff) |
remove sfeed_tail and recently added security considerations
... both are out-of-scope for sfeed.
- sfeed_tail can be written as some simple customized awk script reading from a
FIFO. The C version did not work well on FIFO's.
- Security considerations are mentioned in the official HTML spec and applies to
all HTML and protocol handlers, so is out-of-scope.
Diffstat (limited to 'README')
-rw-r--r-- | README | 47 |
1 files changed, 0 insertions, 47 deletions
@@ -128,7 +128,6 @@ sfeed_opml_export - Generate an OPML XML file from a sfeedrc config file. sfeed_opml_import - Generate a sfeedrc config file from an OPML XML file. sfeed_mbox - Format feed data (TSV) to mbox. sfeed_plain - Format feed data (TSV) to a plain-text list. -sfeed_tail - Format unseen feed data (TSV) to a plain-text list. sfeed_twtxt - Format feed data (TSV) to a twtxt feed. sfeed_update - Update feeds and merge with old feeds in the directory $HOME/.sfeed/feeds by default. @@ -508,52 +507,6 @@ Now run: Now you can view feeds in mutt(1) for example. -Security considerations ------------------------ - -About automated remote resource loading and content execution: - -Some feeds will use a tracking pixel (1x1 image size) in HTML content with some -unique ID. Some even have embedded Javascript code, iframes, CSS. Opening such -content and loading these resources automatically may leak unwanted -information. - -For example on Slashdot: -<img src="http://feeds.feedburner.com/~r/Slashdot/slashdot/~4/someid" - height="1" width="1" alt=""/> - -If such content is opened in a typical webbrowser configuration this is -insecure. Be aware opening a link in a page generated on the local filesystem -or network has different privileges than one on a non-local domain. - -Recommendation: -Do not handle content as HTML and avoid automated remote resource loading in -content. Convert all content to plain-text in your formatting program. - - -About handling links: - -Be careful about handling feed links. - -A malicious link could be: tel:some-phonenumber, file:// or some other protocol -scheme which depending on the viewing program and system can have an action -assigned. - -Another malicious link could be pointing to a local device, for example an -(insecure) router: http://192.168.0.1/?reboot - -Recommendation: -Filter specific by protocol and non-local domain. This can be done using a grep -or awk filter or as a setting in your viewing program. - -See also: -- RFC4287 (Atom): 8. Security Considerations: - https://tools.ietf.org/html/rfc4287#section-8 -- RFC2854: 7. Security Considerations: - https://tools.ietf.org/html/rfc2854 -- Filter examples: see the sfeed README file. - - License ------- |