Re: cli/insert: do not lose the SMTP envelope

diff --git a/75/c37626da13f3182fd5b249d582a03cf793bd28 b/75/c37626da13f3182fd5b249d582a03cf793bd28
new file mode 100644 (file)
index 0000000..63392e7
--- /dev/null
+++ b/75/c37626da13f3182fd5b249d582a03cf793bd28
@@ -0,0 +1,149 @@
+Return-Path: <jani@nikula.org>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by arlo.cworth.org (Postfix) with ESMTP id A5D736DE17E7\r
+ for <notmuch@notmuchmail.org>; Sun,  3 Jan 2016 08:16:01 -0800 (PST)\r
+X-Virus-Scanned: Debian amavisd-new at cworth.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: -0.546\r
+X-Spam-Level: \r
+X-Spam-Status: No, score=-0.546 tagged_above=-999 required=5 tests=[AWL=0.174,\r
+  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\r
+ RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled\r
+Received: from arlo.cworth.org ([127.0.0.1])\r
+ by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id 4xhmmBYNxpUl for <notmuch@notmuchmail.org>;\r
+ Sun,  3 Jan 2016 08:15:59 -0800 (PST)\r
+Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com\r
+ [74.125.82.52]) by arlo.cworth.org (Postfix) with ESMTPS id D9E386DE17DC for\r
+ <notmuch@notmuchmail.org>; Sun,  3 Jan 2016 08:15:58 -0800 (PST)\r
+Received: by mail-wm0-f52.google.com with SMTP id b14so154529439wmb.1\r
+ for <notmuch@notmuchmail.org>; Sun, 03 Jan 2016 08:15:58 -0800 (PST)\r
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;\r
+ d=nikula-org.20150623.gappssmtp.com; s=20150623;\r
+ h=from:to:cc:subject:in-reply-to:references:user-agent:date\r
+ :message-id:mime-version:content-type;\r
+ bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=;\r
+ b=FcF/UNI8tOUU/h7r7/pUTkEllNYgyuc0yisZ40EHfDMU0hj8Hj3VXAqxJQLSe6Lxby\r
+ dCs/QOY4Jr0FLhei8szKSXQyFTvwQvtKQwQ0Ovocy1SrBcNgcLm9tHbPEw+Afq6LD6kj\r
+ xj7NBslH4UL+Q6g0kMUOdQRffZvpT9sx3pEOaWsd+yqmmxZqslOihoHv53AIsg0ro28z\r
+ lQW2LzYf+Db+e/x1NX9racoy0vRjudbcN6Il6yqU5ShPNEPoPmcR5x0cXMk6D8bs3c+H\r
+ WqrsohDWUWPZj9NJCQHujmaF/sdHuusuhTvGqa/2jaQCyNpr4bNr+kBOstj8vj4+TAVH\r
+ wlKg==\r
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;\r
+ d=1e100.net; s=20130820;\r
+ h=x-gm-message-state:from:to:cc:subject:in-reply-to:references\r
+ :user-agent:date:message-id:mime-version:content-type;\r
+ bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=;\r
+ b=A8Wboz4QnCQTa8qYTqiKQEgR7BsQIGncuI2C6aeNbZASlSZFj9vYFoWlteuEZ5U/w4\r
+ uuTIZMknM6YHUEhZm0SOOC3fWmg1RsOY6RQSJCD0z0xy0bHFBfZq8myBXfpfd+Bwwjrd\r
+ e2xiFmH9VR0HHzgW7o0ObkUAmj4cdWVqXbZuZnYAdVmfRO4pSmHR70LNqnTBhp7vNIKS\r
+ LSPYiqpb0bzdeoZYR7jN2Ob3SlAFleoB7b/SvlJwsA+836LGFz46/80ISl2Nu/1xu6oA\r
+ a6HfpcgN+zyhLQtHO2+LFj2ki9MP95T03M65Q3cGANmtMuaTH8ZMssnwzqB/dqYj9v7N\r
+ NiiQ==\r
+X-Gm-Message-State: ALoCoQmP74ZERLotASaLdSa8JE5Kwz8/FXayiUTnNzAx37rLhRWi7z2uToen+F6eRtp0DyhJGSkiI/LkB3xhcbMMroUhQpWdHw==\r
+X-Received: by 10.194.236.6 with SMTP id uq6mr91200268wjc.126.1451837757395;\r
+ Sun, 03 Jan 2016 08:15:57 -0800 (PST)\r
+Received: from localhost (mobile-access-bceec9-49.dhcp.inet.fi.\r
+ [188.238.201.49])\r
+ by smtp.gmail.com with ESMTPSA id qs1sm21237783wjc.2.2016.01.03.08.15.55\r
+ (version=TLSv1/SSLv3 cipher=OTHER);\r
+ Sun, 03 Jan 2016 08:15:55 -0800 (PST)\r
+From: Jani Nikula <jani@nikula.org>\r
+To: J Farkas <jf.hyqohaczlksw4tx6ae@l2015aftruuq.dns007.net>,\r
+ notmuch@notmuchmail.org\r
+Cc: Tomi Ollila <tomi.ollila@iki.fi>\r
+Subject: Re: cli/insert: do not lose the SMTP envelope\r
+In-Reply-To: <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net>\r
+References: <1451647279.42.86b0a8ab@201601.l2015aftruuq.dns007.net>\r
+ <m2a8oob4ql.fsf@guru.guru-group.fi>\r
+ <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net>\r
+User-Agent: Notmuch/0.21+34~ge1fb729 (http://notmuchmail.org) Emacs/24.4.1\r
+ (x86_64-pc-linux-gnu)\r
+Date: Sun, 03 Jan 2016 18:15:05 +0200\r
+Message-ID: <877fjqwsfq.fsf@nikula.org>\r
+MIME-Version: 1.0\r
+Content-Type: text/plain\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.20\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch/>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Sun, 03 Jan 2016 16:16:01 -0000\r
+\r
+On Sat, 02 Jan 2016, J Farkas <jf.hyqohaczlksw4tx6ae@l2015aftruuq.dns007.net> wrote:\r
+> On 2016-01-02 at 13:28:02, Tomi Ollila wrote:\r
+>> On Fri, Jan 01 2016, J Farkas <jf.hyqohaczlksw4tx6ae@l2015aftruuq.dns007.net> wrote:\r
+>> > Make sure we store the envelope sender/recipient if provided by\r
+>> > qmail-command(8) in $RPLINE and $DTLINE.\r
+>> > ---\r
+>> \r
+>> Probably good feature, but like\r
+>> http://www.qmail.org/man/man8/qmail-command.html \r
+>> says:\r
+>> \r
+>>           qmail-local supplies several useful environment variables to\r
+>>           command.  WARNING: These environment variables are not\r
+>>           quoted.  They may contain special characters.  They are\r
+>>           under the control of a possibly malicious remote user.\r
+>> \r
+>> Should we check that the contents of RPLINE and DTLINE are well-formed\r
+>> before writing these to the mail files ?\r
+>\r
+> Thank you for reviewing and being so careful!\r
+>\r
+> That warning is not applicable for the *LINE variables which are\r
+> supposed to end up in the message without further munging (they even\r
+> have the LF appended already).\r
+>\r
+> The extra carefulness is only relevant for anyone trying to *parse*\r
+> those strings, like $EXT via unsafe languages, when EXT becomes the\r
+> part following the dash after the username (considering \r
+> bgates-(){:;};shutdown@example.org for example)\r
+\r
+We should already assume that the messages can contain basically any\r
+malicious content, and we should treat them like that. Adding malicious\r
+content at this step should not trip us over.\r
+\r
+The question is, could this make it easier for Mallory to inject\r
+malicious content to otherwise good messages? The environment variables\r
+in question could contain a whole message, hiding the actual\r
+message. Not sure how one could control the environment without being\r
+able to do a whole lot of other, potentially more malicious things.\r
+\r
+BR,\r
+Jani.\r
+\r
+\r
+>\r
+> It still should be what the envelope sender was, and what was considered\r
+> valid at the time.\r
+>\r
+> I actually checked if there's any relevance for this warning: most\r
+> maildir delivering program does it already in one form or the other; in\r
+> fact, there is a command in the qmail distribution:\r
+> http://www.qmail.org/man/man1/preline.html which does the exact same\r
+> getenv and copy to the output.\r
+>\r
+> If you'd liek to confirm, there's one repo for what seems to be the\r
+> original qmail source for this file shows even DJB does it the same way:\r
+>\r
+> https://github.com/c-rack/qmail/blob/master/preline.c\r
+>\r
+> I would think it's not worth the extra fork and pipe for this.  I don't\r
+> see how anyone could do without these headers saved, to be honest :)\r
+>\r
+> Janos\r
+>\r
+> _______________________________________________\r
+> notmuch mailing list\r
+> notmuch@notmuchmail.org\r
+> https://notmuchmail.org/mailman/listinfo/notmuch\r