Re: highlighting *bold* and _underline_ in mutt

Wed, 02 Sep 2015 02:34:37 -0700 

[-- PGP output follows (current time: Wed Sep  2 11:15:01 2015) --]
gpg: Signature made Wed Aug 19 22:17:44 2015 CEST using RSA key ID 0312C726
gpg: Good signature from "mwnx <m...@gmx.com>"
Primary key fingerprint: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726
[-- End of PGP output --]

[-- BEGIN PGP SIGNED MESSAGE --]

On Wed, Sep 02, 2015 at 07:49:08AM +1000, Cameron Simpson wrote:
> >>I'm not sure there's really any security risk in allow_ansi.  [...]
> >>it seems to allow only colors and text attributes (bold,
> >>underline, etc).  It doesn't appear to do anything with the more
> >>dangerous sequences. [...]
> >it isn't passing the ANSI >sequences _through_ to the display. It is
> >parsing a few and setting the various markup features in the output, which
> >are then rendered in the normal curses highlighting/colouring processes.
> 
> As an illustrative example, the "_through_" above is displayed on my
> terminal in cyan, _not_ underlined. This is because my muttrc says:
> 
>  color underline $colour_hl1 default
> 
> and $colour_hl1 is currently cyan. This illustrates that the source ANSI
> sequence is not passed through.
> 
> Cheers,
> Cameron Simpson <c...@zip.com.au>
> 
> No, I haven't read 'Illuminatus' myself, although I do know of it. Perhaps I
> might find some _more_ information in this book to back up these claims.
>        - j...@ibis.dsto.gov.au (James Marcus)

Well my concern is with the possibility of faking PGP related messages, as
mentioned in the manual:

    Messages  containing these  codes  are rare, but if this option is set,
    their text will be colored accordingly. Note that this  may  override
    your color choices,  and  even  present  a  security problem, since a
    message could include a line like

    [-- PGP output follows ...

    and give it the same color as  your  attachment  color  (see  also
    $crypt_timestamp).

Oh, by the way, if you're using the default (I think it's default) bold
yellow coloring for GPG messages, you might not have noticed that this
message isn't actually GPG signed if you didn't bother to check the
timestamp. I know I don't usually bother to.

-- 
mwnx
GPG: AEC9 554B 07BD F60D 75A3  AF6A 44E8 E4D4 0312 C726

[-- END PGP SIGNED MESSAGE --]

Reply via email to