[Users] [Bulk] Claws config needs much better documentation

[Holger Berndt]

On Di, 31.07.2012 17:54, Sitaram Chamarty wrote:

>> png and jpeg have had many exploits on Unix. By default I expect
>> you have a reasonable guarantee on claws with regard to the html to text
>> feature. I'm not sure what the default is for "Automatically Display
>> attached images" in preferences but there is certainly plenty more low
>> hanging fruit on other clients for malware to target. It annoys me that
>> there is only html mode on my constantly known bug ridden Android at the
>> moment.
>
>You basically threw up a strawman argument to bolster your contention
>that the current default is safer when it actually has nothing to do
>with safety.

I don't see how this is a strawman. Kevin is of course right when he
says that software has bugs, and that if less code gets executed,
there's less code that can get attacked.

Still, I wouldn't describe the feature as a security feature, because I
don't think Claws Mail really defines how much processing is done to an
email at the various stages. For example, some parts of the message are
parsed and decoded early (to display headers like subject, for
example). Other parts are delayed until needed (a user opens the
message, or a filter is applied, or ...).

So, while the current processing indeed gives some extra security, a
future version of Claws Mail might behave differently.

Holger