Status
Current Working Pair:
- Dillo CVS 2003-03-16 and newer
- Sylpheed-Claws 0.8.11claws14 and newer
2003-03-16
As of 2003-03-16, CVS sources of Dillo do not contain the security issue noted below anymore. Thanks to Dillo's authors for the quick reaction.
2003-03-15
Since version 0.7.0, Dillo
has integrated the different patches (embedding, a
modified version of local browsing and the fullwindow
startup). So there is no need to patch Dillo anymore, but:
WARNING: Dillo 0.7.0 and newer have a bug that
will make it load remote images even though it was
launched with the SpamSafe (-l) command line
when the HTML text contains a <base href=…>
entity. You can find a patch against Dillo CVS sources
here.
As of CVS version 0.8.11claws14, Sylpheed-Claws
includes a Dillo plugin to allow inline viewing of
HTML mail. The forthcoming public release 0.8.12claws
will include it
officially. So there is no need to patch Sylpheed-Claws anymore.
2003-02-06
As of 2003-02-06, Sylpheed-Claws does not yet include
the patches to use Dillo as an integrated HTML
viewer. Nevertheless, it is planned that Sylpheed-Claws 0.8.11 will
be able to use Dillo officially for HTML mail. Until then,
the patches concerning Sylpheed-Claws provided in this page are
still needed.
When using Dillo version 0.7.0, which
already integrates the slightly modified patches, the HTML
mail is viewed in a safe manner by not following the links
it includes (screenshot: initial message view), until the
user hits the reload button, in which case the HTML mail
is reloaded completly, eventually showing remote resources, i.e. the links are followed (screenshot: message view after hitting the reload button).
Note:The rest of this page and the screenshots it shows
concern Dillo versions patched with the patches found
in this site and not Dillo 0.7.0 (and newer).
About The Embeddable Dillo, Local Browsing and Full Window Startup
patches originally served the purpose of adding an as safe
as possible HTML
mail viewing ability to Sylpheed-Claws
mail client. The three patches were merged into a unique
patch and Sylpheed-Claws was modified to automatically
launch Dillo with the -f -l -xid
XID %f arguments, where %f denotes the
HTML part of an email. This result in a safer and
comfortable way to view such insecure messages. Here is a
picture of what it looks like on a SPAM HTML mail. After
double-clicking on the window to toggle-off the full
window mode and to see what the status bar shows if there
is an attempt to connect a remote host when using the
local browsing option, you can see this same SPAM HTML trying to connect
a remote host. Only one comment: thanks to Dillo,
Sylpheed and these patches, you can securely see such
mails. At least, I hope!
2002-10-14: With the newer Dillo patch it is
possible to switch the local browsing only mode (offline)
on and off inside Dillo. This will allow reloading a
current HTML mail after allowing access to the
Internet.
IMPORTANT: 2002-11-01: I found in some mailing
list message that spammers could use DNS lookups to
check if their message was read or not by supplying a
unique non-existent address, e.g. 123456.the.spam.com,
and by checking their DNS server log. The Dillo patch
does not provide a protection against this, because
the DNS lookup is done even when "offline" browsing is
enabled to test if the eventual link resolves into a
localhost address (127.*.*.*). I currently don't know
of any simple way to test without DNS lookup whether
an address is the address of the localhost.
Download Note:
Download and apply the patches only if you know
what you are doing. These are experimental patches for
developers and not really intended for end-users.
If you don't know how to apply them, chances are
you don't want to use them. HTML mail is
interesting but it opens a can of worms. The
Sylpheed-Claws patch is virtually the can of
worms. All suggestions welcome.
2002-11-01The all-in-one patch for Dillo
0.7.0pre-v1 is here: dillo-0.7.0-pre-v1-cli-local-fullwindow-xid.patch. You'll need at least to run automake.
2002-10-25The Sylpheed-Claws 0.8.5claws54 patch
is here sylpheed-0.8.5claws54-dillo.patch. Compared
to the older patch, this patch just adds "-dillo" to the
version string. autogen.sh should be rerun.
2002-10-14The new all-in-one Dillo patch that
allows in-session offline toggling is here: dillo-cvs-2002-10-14-cli-local2-fullwindow-xid.patch. This
patch modifies src/Makefile.am and adds two new
files so you may need to run at least automake.
2002-09-29
The Sylpheed-Claws 0.8.3claws32 patch is here:
sylpheed-0.8.3claws32-dillo.patch.
2002-08-13 This patch contains all the following
patches: command line options, local browsing, fullwindow
start and embeddable Dillo. It applies cleanly on Dillo
cvs 2002-08-13. You can get it here: dillo-cvs-2002-08-13-cli-local-fullwindow-xid.patch.
2002-08-06 This patch contains all the following
patches: command line options, local browsing, fullwindow
start and embeddable Dillo. It applies cleanly on Dillo
cvs 2002-08-06. You can get it here: dillo-cvs-2002-08-06-cli-local-fullwindow-xid.patch.
The Sylpheed-Claws 0.8.1claws28 patch is here:
sylpheed-0.8.1claws28-dillo.patch.
2002-05-18
The single patch of the merged features for Dillo is here:
dillo-cvs-2002-05-18-xid-local-fullwindow.patch
The can of worms for Sylpheed-Claws 0.7.6claws4 is here:
sylpheed-0.7.6claws4-dillo.patch.
(the 4 in claws4 is the cvs-Claws version, the patch should apply
to the released 0.7.6claws, too)
|