From 2e3f52895ec2214a2a585f8d47e745b6db6b7163 Mon Sep 17 00:00:00 2001 From: Jinwoo Lee Date: Tue, 3 Feb 2015 12:41:31 +1600 Subject: [PATCH] Re: [PATCH] emacs: Add a defcustom that specifies regexp for blocked remote images. --- 86/8d9f573c1296ee6802f4f23ddd1eb09a496ae5 | 160 ++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 86/8d9f573c1296ee6802f4f23ddd1eb09a496ae5 diff --git a/86/8d9f573c1296ee6802f4f23ddd1eb09a496ae5 b/86/8d9f573c1296ee6802f4f23ddd1eb09a496ae5 new file mode 100644 index 000000000..cea41df4e --- /dev/null +++ b/86/8d9f573c1296ee6802f4f23ddd1eb09a496ae5 @@ -0,0 +1,160 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 699AC431FC2 + for ; Mon, 2 Feb 2015 12:41:35 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 2.639 +X-Spam-Level: ** +X-Spam-Status: No, score=2.639 tagged_above=-999 required=5 + tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, + DNS_FROM_AHBL_RHSBL=2.438, FREEMAIL_ENVFROM_END_DIGIT=1, + FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id TM8jnAuKYu+r for ; + Mon, 2 Feb 2015 12:41:32 -0800 (PST) +Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com + [209.85.223.174]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) + (No client certificate requested) + by olra.theworths.org (Postfix) with ESMTPS id 21EE8431FC0 + for ; Mon, 2 Feb 2015 12:41:32 -0800 (PST) +Received: by mail-ie0-f174.google.com with SMTP id vy18so20351285iec.5 + for ; Mon, 02 Feb 2015 12:41:31 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=from:to:subject:in-reply-to:references:user-agent:date:message-id + :mime-version:content-type; + bh=Mbe/eSzkRHC3BQQO//CVBs7fnQI0jMM2LJXkNfBeyOc=; + b=j0mcpW3FAYZ+eeJnI9ERzZqBmxx+CAs09rdo6G/yVE/Mg5ONCL+IwE7qZE8IQruf0t + miHgXAKv593ZxYh73OL+oV/cEKJHxmhi9Ca1xSeF/SGkdVwowrNW3xzwEN4r/h2eW0mG + 2Zn3q8AHFWvnGST0GVnMCcYtMrROubt1eTxlYNRFD5jp8BCYk15nCX7uRCuxdiPaEPC3 + auY0550wYPgXPMX6+yyE6IbcCX7JZ8gg79Mc8g91+yKzbKs2C6tfUn6ksbI8qt1w+ezr + Dahai86drtPtH1JWfvl9l37d8BjKwFpuwaklVGcFAZNODx9NbOq1bFhPK5ZUK9pgkuMf + lYiA== +X-Received: by 10.107.170.162 with SMTP id g34mr20707717ioj.7.1422909691470; + Mon, 02 Feb 2015 12:41:31 -0800 (PST) +Received: from localhost ([2620:0:1000:407c:317e:4baf:6671:315a]) + by mx.google.com with ESMTPSA id y5sm6699093ign.7.2015.02.02.12.41.30 + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Mon, 02 Feb 2015 12:41:30 -0800 (PST) +From: Jinwoo Lee +To: Tomi Ollila , notmuch@notmuchmail.org +Subject: Re: [PATCH] emacs: Add a defcustom that specifies regexp for + blocked remote images. +In-Reply-To: +References: <1422903246-8621-1-git-send-email-jinwoo68@gmail.com> + +User-Agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.4.1 + (x86_64-apple-darwin13.2.0) +Date: Mon, 02 Feb 2015 12:41:31 -0800 +Message-ID: +MIME-Version: 1.0 +Content-Type: text/plain +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Mon, 02 Feb 2015 20:41:35 -0000 + +On Mon, Feb 2, 2015 at 12:32 PM, Tomi Ollila wrote: +> On Mon, Feb 02 2015, Jinwoo Lee wrote: +> +>> It's default value is ".", meaning all remote images will be blocked +>> by default. +>> +>> --- +>> Addressed review comments. +> +> Ok, looks good to me. David can perhaps amend away the (accidental) +> whitespace change in the last hunk ? + +Ah, sorry about that. I can revert if needed. + +> +> Tomi +> +> +>> --- +>> emacs/notmuch-show.el | 27 +++++++++++++++++++-------- +>> 1 file changed, 19 insertions(+), 8 deletions(-) +>> +>> diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el +>> index 66350d4..5d939bb 100644 +>> --- a/emacs/notmuch-show.el +>> +++ b/emacs/notmuch-show.el +>> @@ -136,6 +136,13 @@ indentation." +>> :type 'boolean +>> :group 'notmuch-show) +>> +>> +;; By default, block all external images to prevent privacy leaks and +>> +;; potential attacks. +>> +(defcustom notmuch-show-text/html-blocked-images "." +>> + "Remote images that have URLs matching this regexp will be blocked." +>> + :type '(choice (const nil) regexp) +>> + :group 'notmuch-show) +>> + +>> (defvar notmuch-show-thread-id nil) +>> (make-variable-buffer-local 'notmuch-show-thread-id) +>> (put 'notmuch-show-thread-id 'permanent-local t) +>> @@ -771,14 +778,21 @@ will return nil if the CID is unknown or cannot be retrieved." +>> ;; It's easier to drive shr ourselves than to work around the +>> ;; goofy things `mm-shr' does (like irreversibly taking over +>> ;; content ID handling). +>> - (notmuch-show--insert-part-text/html-shr msg part) +>> + +>> + ;; FIXME: If we block an image, offer a button to load external +>> + ;; images. +>> + (let ((shr-blocked-images notmuch-show-text/html-blocked-images)) +>> + (notmuch-show--insert-part-text/html-shr msg part)) +>> ;; Otherwise, let message-mode do the heavy lifting +>> ;; +>> ;; w3m sets up a keymap which "leaks" outside the invisible region +>> ;; and causes strange effects in notmuch. We set +>> ;; mm-inline-text-html-with-w3m-keymap to nil to tell w3m not to +>> ;; set a keymap (so the normal notmuch-show-mode-map remains). +>> - (let ((mm-inline-text-html-with-w3m-keymap nil)) +>> + (let ((mm-inline-text-html-with-w3m-keymap nil) +>> + ;; FIXME: If we block an image, offer a button to load external +>> + ;; images. +>> + (gnus-blocked-images notmuch-show-text/html-blocked-images)) +>> (notmuch-show-insert-part-*/* msg part content-type nth depth button)))) +>> +>> ;; These functions are used by notmuch-show--insert-part-text/html-shr +>> @@ -797,17 +811,14 @@ will return nil if the CID is unknown or cannot be retrieved." +>> ;; shr strips the "cid:" part of URL, but doesn't +>> ;; URL-decode it (see RFC 2392). +>> (let ((cid (url-unhex-string url))) +>> - (first (notmuch-show--get-cid-content cid))))) +>> - ;; Block all external images to prevent privacy leaks and +>> - ;; potential attacks. FIXME: If we block an image, offer a +>> - ;; button to load external images. +>> - (shr-blocked-images ".")) +>> + (first (notmuch-show--get-cid-content cid)))))) +>> (shr-insert-document dom) +>> t)) +>> +>> (defun notmuch-show-insert-part-*/* (msg part content-type nth depth button) +>> ;; This handler _must_ succeed - it is the handler of last resort. +>> - (notmuch-mm-display-part-inline msg part content-type notmuch-show-process-crypto) +>> + (notmuch-mm-display-part-inline msg part content-type +>> + notmuch-show-process-crypto) +>> t) +>> +>> ;; Functions for determining how to handle MIME parts. +>> -- +>> 2.2.2 +>> +>> _______________________________________________ +>> notmuch mailing list +>> notmuch@notmuchmail.org +>> http://notmuchmail.org/mailman/listinfo/notmuch -- 2.26.2