1 Return-Path: <dmitry.kurochkin@gmail.com>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 6C9A740EC26
\r
6 for <notmuch@notmuchmail.org>; Tue, 31 Jan 2012 18:51:14 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5
\r
12 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
\r
13 FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
\r
14 Received: from olra.theworths.org ([127.0.0.1])
\r
15 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
16 with ESMTP id N2SqEZkRi1zm for <notmuch@notmuchmail.org>;
\r
17 Tue, 31 Jan 2012 18:51:12 -0800 (PST)
\r
18 Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com
\r
19 [209.85.214.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
\r
20 (No client certificate requested)
\r
21 by olra.theworths.org (Postfix) with ESMTPS id 78521421192
\r
22 for <notmuch@notmuchmail.org>; Tue, 31 Jan 2012 18:51:09 -0800 (PST)
\r
23 Received: by mail-bk0-f53.google.com with SMTP id 11so662809bke.26
\r
24 for <notmuch@notmuchmail.org>; Tue, 31 Jan 2012 18:51:09 -0800 (PST)
\r
25 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
\r
26 h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
\r
27 :mime-version:content-type:content-transfer-encoding;
\r
28 bh=hiV9zUliHIQKq7pJL2Eq5wF/JeOLuAxM1VvSBS69DWA=;
\r
29 b=HGxMI9kDKbcKj71IilSETOW1arxa18a/MPV4OVAsNScb9QN2tJWcbUKeV83YZqH8l8
\r
30 VyGHvgOcuDgz8QBitgS2gsowNESMzlJODtJ+3z2PMm7awvw2mQG5y9ntxOLGckJ3xINU
\r
31 CWUN8qltM4Ef3P1BjdR8ZRu/VXVMh0fP6S7Us=
\r
32 Received: by 10.204.152.141 with SMTP id g13mr9622984bkw.48.1328064669152;
\r
33 Tue, 31 Jan 2012 18:51:09 -0800 (PST)
\r
34 Received: from localhost ([91.144.186.21])
\r
35 by mx.google.com with ESMTPS id ew13sm50144418bkb.1.2012.01.31.18.51.08
\r
36 (version=TLSv1/SSLv3 cipher=OTHER);
\r
37 Tue, 31 Jan 2012 18:51:08 -0800 (PST)
\r
38 From: Dmitry Kurochkin <dmitry.kurochkin@gmail.com>
\r
39 To: notmuch@notmuchmail.org
\r
40 Subject: [PATCH v3 2/2] emacs: quote MML tags in replies
\r
41 Date: Wed, 1 Feb 2012 06:49:41 +0400
\r
42 Message-Id: <1328064581-13949-3-git-send-email-dmitry.kurochkin@gmail.com>
\r
43 X-Mailer: git-send-email 1.7.9
\r
44 In-Reply-To: <1328064581-13949-1-git-send-email-dmitry.kurochkin@gmail.com>
\r
45 References: <1326998589-37187-1-git-send-email-aaronecay@gmail.com>
\r
46 <1328064581-13949-1-git-send-email-dmitry.kurochkin@gmail.com>
\r
48 Content-Type: text/plain; charset=UTF-8
\r
49 Content-Transfer-Encoding: 8bit
\r
50 X-BeenThere: notmuch@notmuchmail.org
\r
51 X-Mailman-Version: 2.1.13
\r
53 List-Id: "Use and development of the notmuch mail system."
\r
54 <notmuch.notmuchmail.org>
\r
55 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
56 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
57 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
58 List-Post: <mailto:notmuch@notmuchmail.org>
\r
59 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
60 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
61 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
62 X-List-Received-Date: Wed, 01 Feb 2012 02:51:14 -0000
\r
64 From: Aaron Ecay <aaronecay@gmail.com>
\r
66 Emacs message-mode uses certain text strings to indicate how to attach
\r
67 files to outgoing mail. If these are present in the text of an email,
\r
68 and a user is tricked into replying to the message, the user’s files
\r
71 NEWS | 12 ++++++++++++
\r
72 emacs/notmuch-mua.el | 7 ++++++-
\r
74 3 files changed, 18 insertions(+), 2 deletions(-)
\r
76 diff --git a/NEWS b/NEWS
\r
77 index 2acdce5..ef26b8c 100644
\r
80 @@ -39,6 +39,17 @@ Reply to sender
\r
81 and search modes, 'r' has been bound to reply to sender, replacing
\r
82 reply to all, which now has key binding 'R'.
\r
84 +Quote MML tags in replies
\r
86 + MML tags are text codes that Emacs uses to indicate attachments
\r
87 + (among other things) in messages being composed. The Emacs
\r
88 + interface did not quote MML tags in the quoted text of a reply.
\r
89 + User could be tricked into replying to a maliciously formatted
\r
90 + message and not editing out the MML tags from the quoted text. This
\r
91 + could lead to files from the user's machine being attached to the
\r
92 + outgoing message. The Emacs interface now quotes these tags in
\r
93 + reply text, so that they do not effect outgoing messages.
\r
98 @@ -56,6 +67,7 @@ Compatibility with GMime 2.6
\r
99 However, a bug in current GMime 2.6 causes notmuch not to report
\r
100 signatures where the signer key is unavailable (GNOME bug 668085).
\r
103 Notmuch 0.11 (2012-01-13)
\r
104 =========================
\r
106 diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
\r
107 index 023645e..4be7c13 100644
\r
108 --- a/emacs/notmuch-mua.el
\r
109 +++ b/emacs/notmuch-mua.el
\r
110 @@ -116,7 +116,12 @@ list."
\r
112 (set-buffer-modified-p nil)
\r
114 - (message-goto-body))
\r
115 + (message-goto-body)
\r
116 + ;; Original message may contain (malicious) MML tags. We must
\r
117 + ;; properly quote them in the reply. Note that using `point-max'
\r
118 + ;; instead of `mark' here is wrong. The buffer may include user's
\r
119 + ;; signature which should not be MML-quoted.
\r
120 + (mml-quote-region (point) (mark)))
\r
122 (defun notmuch-mua-forward-message ()
\r
124 diff --git a/test/emacs b/test/emacs
\r
125 index a3f4893..b9f7d15 100755
\r
128 @@ -274,7 +274,6 @@ EOF
\r
129 test_expect_equal_file OUTPUT EXPECTED
\r
131 test_begin_subtest "Quote MML tags in reply"
\r
132 -test_subtest_known_broken
\r
133 message_id='test-emacs-mml-quoting@message.id'
\r
134 add_message [id]="$message_id" \
\r
135 "[subject]='$test_subtest_name'" \
\r