+ As mutt-ng be can be set up to be the mail client to handle mailto: style links
+ in websites, there're security considerations, too. To keep the old behavior by
+ default, mutt-ng will be strict in interpreting them which means that arbitrary
+ header fields can be embedded in these links which could override existing
+ header fields or attach arbitrary files. This may be problematic if the
+ _\b$_\be_\bd_\bi_\bt_\b__\bh_\be_\ba_\bd_\be_\br_\bs (section 7.4.54 , page 98) variable is _\bu_\bn_\bs_\be_\bt, i.e. the user
+ doesn't want to see header fields while editing the message.
+
+ For example, following a link like
+
+ mailto:joe@host?Attach=~/.gnupg/secring.gpg
+
+ will send out the user's private gnupg keyring to joe@host if the user doesn't
+ follow the information on screen carefully enough.
+
+ When _\bu_\bn_\bs_\be_\bt_\bt_\bi_\bn_\bg the _\b$_\bs_\bt_\br_\bi_\bc_\bt_\b__\bm_\ba_\bi_\bl_\bt_\bo (section 7.4.311 , page 162) variable, mutt-
+ ng will
+
+ +\bo be less strict when interpreting these links by prepending a X-Mailto-
+ string to all header fields embedded in such a link _\ba_\bn_\bd
+
+ +\bo turn on the _\b$_\be_\bd_\bi_\bt_\b__\bh_\be_\ba_\bd_\be_\br_\bs (section 7.4.54 , page 98) variable by force to
+ let the user see all the headers (because they still may leak informa-
+ tion.)
+
+ _\b6_\b._\b4 _\bE_\bx_\bt_\be_\br_\bn_\ba_\bl _\ba_\bp_\bp_\bl_\bi_\bc_\ba_\bt_\bi_\bo_\bn_\bs
+
+ Mutt-ng in many places has to rely on external applications or for convenience
+ supports mechanisms involving external applications.
+
+ _\b6_\b._\b4_\b._\b1 _\bm_\ba_\bi_\bl_\bc_\ba_\bp
+
+ One of these is the mailcap mechanism as defined by RfC 1524. Mutt-ng can be
+ set up to _\ba_\bu_\bt_\bo_\bm_\ba_\bt_\bi_\bc_\ba_\bl_\bl_\by execute any given utility as listed in one of the mail-
+ cap files (see the _\b$_\bm_\ba_\bi_\bl_\bc_\ba_\bp_\b__\bp_\ba_\bt_\bh (section 7.4.116 , page 114) variable for
+ details.)
+
+ These utilities may have a variety of security vulnerabilities, including
+
+ The Mutt Next Generation E-Mail Client 79
+
+ overwriting of arbitrary files, information leaks or other exploitable bugs.
+ These vulnerabilities may go unnoticed by the user, especially when they are
+ called automatically (and without interactive prompting) from the mailcap
+ file(s). When using mutt-ng's autoview mechanism in combination with mailcap
+ files, please be sure to...
+
+ +\bo manually select trustworth applications with a reasonable calling sequence
+
+ +\bo periodically check the contents of mailcap files, especially after soft-
+ ware installations or upgrades
+
+ +\bo keep the software packages referenced in the mailcap file up to date
+
+ +\bo leave the _\b$_\bm_\ba_\bi_\bl_\bc_\ba_\bp_\b__\bs_\ba_\bn_\bi_\bt_\bi_\bz_\be (section 7.4.117 , page 115) variable in its
+ default state to restrict mailcap expandos to a safe set of characters
+
+ _\b6_\b._\b4_\b._\b2 _\bO_\bt_\bh_\be_\br
+
+ Besides the mailcap mechanism, mutt-ng uses a number of other external utili-
+ ties for operation.
+
+ The same security considerations apply for these as for tools involved via
+ mailcap (for example, mutt-ng is vulnerable to Denial of Service Attacks with
+ compressed folders support if the uncompressed mailbox is too large for the
+ disk it is saved to.)
+
+ As already noted, most of these problems are not built in but caused by wrong
+ configuration, so please check your configuration.
+
+ _\b7_\b. _\bR_\be_\bf_\be_\br_\be_\bn_\bc_\be
+
+ _\b7_\b._\b1 _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bl_\bi_\bn_\be _\bo_\bp_\bt_\bi_\bo_\bn_\bs