Minced words
July 12, 2002 12:05 PM   Subscribe

Minced words NTK is reporting that a bug in Yahoo Mail causes inbound email containing script keywords like "eval" to be modified even when they are used innocuously. One result is that any instance of the string "eval" gets changed to "review", even when it's a substring of a larger word. Note the large number of documents on the web that use the words medireview (for "medieval"), reviewuate (for "evaluate"), and reviewuation (for "evaluation"). Is this entirely the result of the Yahoo Mail issue, or do these transformations occur in other web authoring applications?
posted by dougb (20 comments total) 1 user marked this as a favorite
I just did some testing, and "eval" in my yahoo mail, incoming or outgoing, doesn't do anything. It's just "eval", "medieval", "evaluate", "evaluation" ...

I don't think it's yahoo's bug.
posted by jozxyqk at 12:12 PM on July 12, 2002

As long as this doesn't affect the great motorcyclist Review Knreview, who cares?
posted by interrobang at 12:13 PM on July 12, 2002

Maybe they fixed this? It appears to have been around for a while

I like the comment from the editor in that thread that says "I was puzzling over the primreview words from our copywriter"... also, someone in there notes its only when viewing HTML email, which might be why you didn't see it.

I don't blame yahoo much, although they could have written better filters, the real problem here is that HTML email is the work of the devil.
posted by malphigian at 12:23 PM on July 12, 2002

"eval" could be a cookie that they put into their software, or -- more likely -- something they used for testing purposes that they forgot to remove.
posted by moz at 12:44 PM on July 12, 2002

eval in most languages can be extremely dangerous (it evaluates the string in a varaible as code) It's one of the most basic ways to hack cgi scripts that take code so in many input validation scripts it is dealt with (not necessarily removed or replaced but dealt with in some way).

This apparently old problem seemed to be a bad implementation of input validation
posted by bitdamaged at 12:48 PM on July 12, 2002

moz: I think there is no question this is an intentional attempt to protect again exploits(altho I can't honestly say which ones).

eval() is a standard ECMAScript (i.e. javascript and actionscript) method that allows you to convert a string into code. Not surprised that it might be used in exploits, as you could slip things past as harmless looking strings and then reconstruct your hostile script using eval().
posted by malphigian at 12:53 PM on July 12, 2002

doh, bitdamaged beat me to it.
posted by malphigian at 12:53 PM on July 12, 2002

It changed some of the words in an email I sent to myself from another account.
Outgoing message: I want to evaluate your evaluation. This is a coeval pressurevalve job. Eval.

Incoming message: I want to evaluate your evaluation. This is a coreview pressurevalve job. review.

So the bug is still there.
posted by Holden at 12:59 PM on July 12, 2002

HTML email is the work of the devil

Agreed. Yahoo Mail also converts the BASE HREF tag to the letter "x" when it finds it in an email. Other clients exhibit a similar behavior. I assume this is to prevent older browsers from adding the url to every link on the page, rather than just the email. At least Yahoo! is nice enough to append the URL to the front of every link (and img src) in the email. I can't blame them for taking a close look at "eval" especially if it were followed by a (.
posted by yerfatma at 1:01 PM on July 12, 2002

Or, based on Holden's test, any whitespace character. I tried it with a few more. Subject lines are unaffected in any case:

Primreview evaluations are coreview with the overall review. Retrireview of prevalent chevaliers is quinqureview. quinqureview? quinqureview! quinqureview- quinqureview( quinqureview) quinqreview quinqureview_

(Sue me. I grepped my big Dic.)

Safe to say, this makes Yahoo part of the Axis of Eval.
posted by dhartung at 2:05 PM on July 12, 2002

It's amusing to do a Google search for medireview.
posted by tippiedog at 2:31 PM on July 12, 2002

Maybe I'm missing something, but why again are there HTML e-mails? The only people I know that use it are spammers, I can't imagine anyone ever going "Damn, if only I could have added some tables to that e-mail".
posted by geoff. at 2:31 PM on July 12, 2002

netscape added them in 3.0 i think. or maybe 2.0.
posted by moz at 2:35 PM on July 12, 2002

I can't imagine anyone ever going "Damn, if only I could have added some tables to that e-mail"

You've never had to work with the drones in marketing, eh?

"Make that logo bigger! And make it <BLINK>!"
posted by ook at 3:44 PM on July 12, 2002

This is ludicrous. If they're allowing mail messages to be executed as Perl or PHP or whatever, they deserve what they get. And it's extremely easy to do a regexp to change HTML tags to innocuous plain text when it's displayed in the browser. Changing the < and > characters to < and > should do 90% of it. PHP even has a strip_tags() command.

Bah. Buncha tards.
posted by RylandDotNet at 3:44 PM on July 12, 2002

or with people who don't know it's HTML mail, but just go...ooooh, I can put backgrounds and fancy pictures in my email!

we switched to outlook at my work last summer, and I'm blown away by how many people sent the most gaudy email.
posted by epersonae at 7:52 PM on July 12, 2002

Most people have no idea they're sending "HTML e-mail". They just want to send everything in 14-point blue Comic Sans.
posted by dhartung at 8:42 PM on July 12, 2002

If this was actually the work of that dude that lives in Hell, wouldn't he be called (via Yahoo! mail) the dereview?
(little joke about |--| &lt;- that big)
posted by verso at 9:14 PM on July 12, 2002

Ryland: You seem to be misunderstanding the problem, of course they aren't executing random emails as server side code (this would result in piles of runtime errors in every email), they are worred about client side exploits using javascript, activeX controls, and the like.

They can't just use strip_tags, as they are clearly trying to display "valid" HTML emails, which are increasingly common among more than just spammers, but just remove the "bad" javascript commands and tags.

But your other point is a good one, a better regex could have found eval()s as code without damaging regular english. Just laziness on the part of Yahoo coders, if you ask me.
posted by malphigian at 11:15 PM on July 12, 2002

Ah, I did indeed misunderstand. But as far as Javascript/VBScript goes, I think it should be stripped out completely, not just the eval() command. There's no need for Javascript in HTML. (There's no need for HTML mail period, IMHO, but people appear to like it.)
posted by RylandDotNet at 12:03 PM on July 13, 2002

« Older Time-Warner to Bob Pittman:   |   Van Explodes In Northwest Parking Lot Newer »

This thread has been archived and is closed to new comments