X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=design-notes.html;h=4aaba5cb2bc30269c457e0674dd80db4068af70b;hb=4e7a4526868db2410bc9e1aba0bd8361e4fd6962;hp=ffd82bf80f746b2ea9b0d6ac41cb7819a1dc4adb;hpb=66df9b24a8e0bebd7b355fe349abb93c684bc506;p=~andy%2Ffetchmail

diff --git a/design-notes.html b/design-notes.html
index ffd82bf8..4aaba5cb 100644
--- a/design-notes.html
+++ b/design-notes.html
@@ -17,7 +17,7 @@
 <table width="100%" cellpadding="0" summary="Canned page header">
 <tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a></td>
-<td width="30%" align="right">$Date: 2003/02/28 11:26:47 $</td>
+<td width="30%" align="right">$Date$</td>
 </tr>
 </table>
 
@@ -33,9 +33,26 @@ ESR made previously, and the differences and new directions will be laid
 out in this document. It is therefore a sort of a TODO document, until
 the necessary code revisions have been made.</p>
 
+<h2>Security</h2>
+
+<p>Fetchmail was handed over in a pretty poor shape, security-wise. It will
+happily talk to the network with root privileges, use sscanf() to read
+remotely received data into fixed-length stack-based buffers without
+length limitation and so on. A full audit is required and security
+concepts will have to be applied. Random bits are:</p>
+
+<ul>
+    <li>code talking to the network does not require root privileges and
+    needs to run without root permissions</li>
+    <li>all input must be validated, all strings must be length checked,
+    all integers range checked</li>
+    <li>all types will need to be reviewed whether they are signed or
+    unsigned</li>
+</ul>
+
 <h2>SMTP forwarding</h2>
 
-<p>Fetchmails multidrop and rewrite options will process addresses
+<p>Fetchmail's multidrop and rewrite options will process addresses
 received from remote sites. Special care must be taken so these
 features cannot be abused to relay mail to foreign sites.</p>
 
@@ -51,16 +68,17 @@ avoided for now.</p>
 <h3>Why we need client-side tracking</h3>
 
 <p>ESR asserted that server-side state were essential and those persons
-repsonsible for removing the LAST command from POP3 deserved to
+responsible for removing the LAST command from POP3 deserved to
 suffer. ESR is right in stating that the POP3 UID tracks which messages
 have been read <em>by this client</em> &ndash; and that is exactly what
 we need to do.</p>
 
-<p>If fetchmail is supposed to retrieve all
-mail from a mailbox reliably, without being disturbed by someone
-occasionally using another client on another host, or a webmailer, or
-similar, then <em>client</em>-side tracking of the state is
-indispensable. This is also needed to match behavior to ETRN and ODMR.</p>
+<p>If fetchmail is supposed to retrieve all mail from a mailbox
+reliably, without being disturbed by someone occasionally using another
+client on another host, or a webmailer, or similar, then
+<em>client</em>-side tracking of the state is indispensable. This is
+also needed to match behavior to ETRN and ODMR or to support read-only
+mailboxes in --keep mode.</p>
 
 <h3>Present and future</h3>
 
@@ -101,7 +119,7 @@ upstream were the same as the IMAP or POP3 server.</p>
 <table width="100%" cellpadding="0" summary="Canned page footer">
 <tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a></td>
-<td width="30%" align="right">$Date: 2003/02/28 11:26:47 $</td>
+<td width="30%" align="right">$Date$</td>
 </tr>
 </table>