Re: privacy problem: text/html parts pull in network resources

diff --git a/5f/9c5c7859cd0cf511c145e8b92687dd78c0dc29 b/5f/9c5c7859cd0cf511c145e8b92687dd78c0dc29
new file mode 100644 (file)
index 0000000..b117d27
--- /dev/null
+++ b/5f/9c5c7859cd0cf511c145e8b92687dd78c0dc29
@@ -0,0 +1,97 @@
+Return-Path: <aclements@csail.mit.edu>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+       by olra.theworths.org (Postfix) with ESMTP id A0E78431FC9\r
+       for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:14:15 -0800 (PST)\r
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: 0.138\r
+X-Spam-Level: \r
+X-Spam-Status: No, score=0.138 tagged_above=-999 required=5\r
+       tests=[DNS_FROM_AHBL_RHSBL=2.438, RCVD_IN_DNSWL_MED=-2.3]\r
+       autolearn=disabled\r
+Received: from olra.theworths.org ([127.0.0.1])\r
+       by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
+       with ESMTP id RaOTj7P383G7 for <notmuch@notmuchmail.org>;\r
+       Wed, 21 Jan 2015 13:14:13 -0800 (PST)\r
+Received: from outgoing.csail.mit.edu (outgoing.csail.mit.edu [128.30.2.149])\r
+       by olra.theworths.org (Postfix) with ESMTP id EE39B431FBC\r
+       for <notmuch@notmuchmail.org>; Wed, 21 Jan 2015 13:14:12 -0800 (PST)\r
+Received: from [104.131.20.129] (helo=awakeningjr)\r
+       by outgoing.csail.mit.edu with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16)\r
+       (Exim 4.72) (envelope-from <aclements@csail.mit.edu>)\r
+       id 1YE2bH-0007IS-T3; Wed, 21 Jan 2015 16:14:07 -0500\r
+Received: from amthrax by awakeningjr with local (Exim 4.84)\r
+       (envelope-from <aclements@csail.mit.edu>)\r
+       id 1YE2bH-0001Oc-Eu; Wed, 21 Jan 2015 16:14:07 -0500\r
+Date: Wed, 21 Jan 2015 16:14:07 -0500\r
+From: Austin Clements <aclements@csail.mit.edu>\r
+To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>\r
+Subject: Re: privacy problem: text/html parts pull in network resources\r
+Message-ID: <20150121211407.GK22599@csail.mit.edu>\r
+References: <87ppa7q25w.fsf@alice.fifthhorseman.net>\r
+MIME-Version: 1.0\r
+Content-Type: text/plain; charset=us-ascii\r
+Content-Disposition: inline\r
+In-Reply-To: <87ppa7q25w.fsf@alice.fifthhorseman.net>\r
+User-Agent: Mutt/1.5.23 (2014-03-12)\r
+Cc: notmuch mailing list <notmuch@notmuchmail.org>\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.13\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+       <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
+       <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
+       <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Wed, 21 Jan 2015 21:14:15 -0000\r
+\r
+I have a fix for this on shr buried deep in an old patch series that I\r
+never got back to: id:1398105468-14317-12-git-send-email-amdragon@mit.edu\r
+\r
+For shr, the key is to set shr-blocked-images to ".".  However, IIRC,\r
+in the current notmuch message rendering pipeline, mm overrides this\r
+variable with something computed from gnus-blocked-images.  That said,\r
+I'm not sure why gnus-blocked-images isn't *already* taking care of\r
+this, but that's probably the place to start digging.\r
+\r
+Quoth Daniel Kahn Gillmor on Jan 21 at  4:00 pm:\r
+> If i send a message with a text/html part (either it's only text/html,\r
+> or all parts are rendered, or it's multipart/alternative with only a\r
+> text/html subpart) and that HTML has <img\r
+> src="http://example.org/test.png"/> in it, then notmuch will make a\r
+> network request for that image.\r
+> \r
+> This is a privacy disaster, because it enables an e-mail sender to use\r
+> "web bugs" to tell when a given notmuch user has opened their e-mail.\r
+> \r
+> It's also a bit of a consistency/storage/indexing disaster because it\r
+> means that what you see when you open a given message will change\r
+> depending on the network environment you're in when you open it.\r
+> \r
+> It's also potentially a security problem because it means that anyone in\r
+> control of the remote server (or the network between you and the remote\r
+> server if the image isn't sourced over https) can feed arbitrary data\r
+> into whatever emacs image rendering library is being used.  (granted,\r
+> this is not a unique problem because this can already be done by the\r
+> original message sender with a multipart/mixed message, but it's an\r
+> additional exposure of attack surface)\r
+> \r
+> I just raised this on #notmuch, and i don't have the time or the\r
+> knowledge to look into it now, but i think the defaults here need to be\r
+> to avoid network access entirely unless the user explicitly requests it.\r
+> \r
+>    --dkg\r
+\r
+\r
+\r
+> _______________________________________________\r
+> notmuch mailing list\r
+> notmuch@notmuchmail.org\r
+> http://notmuchmail.org/mailman/listinfo/notmuch\r
+\r