From c0b063465aa2f86bbeda592f20c52dc303b265bd Mon Sep 17 00:00:00 2001 From: Hiltjo Posthuma Date: Mon, 6 May 2019 21:17:19 +0200 Subject: remove sfeed_tail and recently added security considerations ... both are out-of-scope for sfeed. - sfeed_tail can be written as some simple customized awk script reading from a FIFO. The C version did not work well on FIFO's. - Security considerations are mentioned in the official HTML spec and applies to all HTML and protocol handlers, so is out-of-scope. --- README | 47 ----------------------------------------------- 1 file changed, 47 deletions(-) (limited to 'README') diff --git a/README b/README index 21e4c35..2467b7d 100644 --- a/README +++ b/README @@ -128,7 +128,6 @@ sfeed_opml_export - Generate an OPML XML file from a sfeedrc config file. sfeed_opml_import - Generate a sfeedrc config file from an OPML XML file. sfeed_mbox - Format feed data (TSV) to mbox. sfeed_plain - Format feed data (TSV) to a plain-text list. -sfeed_tail - Format unseen feed data (TSV) to a plain-text list. sfeed_twtxt - Format feed data (TSV) to a twtxt feed. sfeed_update - Update feeds and merge with old feeds in the directory $HOME/.sfeed/feeds by default. @@ -508,52 +507,6 @@ Now run: Now you can view feeds in mutt(1) for example. -Security considerations ------------------------ - -About automated remote resource loading and content execution: - -Some feeds will use a tracking pixel (1x1 image size) in HTML content with some -unique ID. Some even have embedded Javascript code, iframes, CSS. Opening such -content and loading these resources automatically may leak unwanted -information. - -For example on Slashdot: - - -If such content is opened in a typical webbrowser configuration this is -insecure. Be aware opening a link in a page generated on the local filesystem -or network has different privileges than one on a non-local domain. - -Recommendation: -Do not handle content as HTML and avoid automated remote resource loading in -content. Convert all content to plain-text in your formatting program. - - -About handling links: - -Be careful about handling feed links. - -A malicious link could be: tel:some-phonenumber, file:// or some other protocol -scheme which depending on the viewing program and system can have an action -assigned. - -Another malicious link could be pointing to a local device, for example an -(insecure) router: http://192.168.0.1/?reboot - -Recommendation: -Filter specific by protocol and non-local domain. This can be done using a grep -or awk filter or as a setting in your viewing program. - -See also: -- RFC4287 (Atom): 8. Security Considerations: - https://tools.ietf.org/html/rfc4287#section-8 -- RFC2854: 7. Security Considerations: - https://tools.ietf.org/html/rfc2854 -- Filter examples: see the sfeed README file. - - License ------- -- cgit v1.2.3