From dc502e0d9976c73286dd497079c9d9d1d72a33e5 Mon Sep 17 00:00:00 2001 From: Tomi Ollila Date: Sun, 20 Oct 2013 20:49:20 +0300 Subject: [PATCH] Re: [PATCH WIP] emacs: Sanitize authors and subjects in search and show --- 8b/4c4fbed5b34657b485ee9dbb73c446d5644f12 | 152 ++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 8b/4c4fbed5b34657b485ee9dbb73c446d5644f12 diff --git a/8b/4c4fbed5b34657b485ee9dbb73c446d5644f12 b/8b/4c4fbed5b34657b485ee9dbb73c446d5644f12 new file mode 100644 index 000000000..85a400ec5 --- /dev/null +++ b/8b/4c4fbed5b34657b485ee9dbb73c446d5644f12 @@ -0,0 +1,152 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by olra.theworths.org (Postfix) with ESMTP id 0BC15431FC2 + for ; Sun, 20 Oct 2013 10:49:35 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at olra.theworths.org +X-Spam-Flag: NO +X-Spam-Score: 0 +X-Spam-Level: +X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] + autolearn=disabled +Received: from olra.theworths.org ([127.0.0.1]) + by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id fvs0wwYE6ELi for ; + Sun, 20 Oct 2013 10:49:27 -0700 (PDT) +Received: from guru.guru-group.fi (guru.guru-group.fi [46.183.73.34]) + by olra.theworths.org (Postfix) with ESMTP id 95738431FC0 + for ; Sun, 20 Oct 2013 10:49:26 -0700 (PDT) +Received: from guru.guru-group.fi (localhost [IPv6:::1]) + by guru.guru-group.fi (Postfix) with ESMTP id A7C2710007D; + Sun, 20 Oct 2013 20:49:20 +0300 (EEST) +From: Tomi Ollila +To: Austin Clements , notmuch@notmuchmail.org +Subject: Re: [PATCH WIP] emacs: Sanitize authors and subjects in search and + show +In-Reply-To: <1381499619-14219-1-git-send-email-amdragon@mit.edu> +References: <1381499619-14219-1-git-send-email-amdragon@mit.edu> +User-Agent: Notmuch/0.16+112~g46b74be (http://notmuchmail.org) Emacs/24.3.1 + (x86_64-unknown-linux-gnu) +X-Face: HhBM'cA~ +MIME-Version: 1.0 +Content-Type: text/plain +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.13 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Sun, 20 Oct 2013 17:49:35 -0000 + +On Fri, Oct 11 2013, Austin Clements wrote: + +> Authors and subjects can contain embedded, encoded control characters +> like "\n" and "\t" that mess up display. Transform control characters +> into spaces everywhere we display them in search and show. +> --- + +LGTM. + +Tomi + + +> +> This could obviously use some tests, but I thought I'd get it out +> there to see what people thought or if the behavior should be tweaked. +> +> Of course, I can't guarantee that this is all of the places we display +> untrusted header text. I'm really not sure how to make that guarantee +> (suggestions welcome). +> +> emacs/notmuch-lib.el | 6 ++++++ +> emacs/notmuch-show.el | 7 ++++--- +> emacs/notmuch.el | 6 ++++-- +> 3 files changed, 14 insertions(+), 5 deletions(-) +> +> diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el +> index 58f3313..6541282 100644 +> --- a/emacs/notmuch-lib.el +> +++ b/emacs/notmuch-lib.el +> @@ -243,6 +243,12 @@ depending on the value of `notmuch-poll-script'." +> "[No Subject]" +> subject))) +> +> +(defun notmuch-sanitize (str) +> + "Sanitize control character in STR. +> + +> +This includes newlines, tabs, and other funny characters." +> + (replace-regexp-in-string "[[:cntrl:]\x7f\u2028\u2029]+" " " str)) +> + +> (defun notmuch-escape-boolean-term (term) +> "Escape a boolean term for use in a query. +> +> diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el +> index 7325792..fa11d98 100644 +> --- a/emacs/notmuch-show.el +> +++ b/emacs/notmuch-show.el +> @@ -407,7 +407,8 @@ unchanged ADDRESS if parsing fails." +> message at DEPTH in the current thread." +> (let ((start (point))) +> (insert (notmuch-show-spaces-n (* notmuch-show-indent-messages-width depth)) +> - (notmuch-show-clean-address (plist-get headers :From)) +> + (notmuch-sanitize +> + (notmuch-show-clean-address (plist-get headers :From))) +> " (" +> date +> ") (" +> @@ -417,7 +418,7 @@ message at DEPTH in the current thread." +> +> (defun notmuch-show-insert-header (header header-value) +> "Insert a single header." +> - (insert header ": " header-value "\n")) +> + (insert header ": " (notmuch-sanitize header-value) "\n")) +> +> (defun notmuch-show-insert-headers (headers) +> "Insert the headers of the current message." +> @@ -1154,7 +1155,7 @@ function is used." +> (jit-lock-register #'notmuch-show-buttonise-links) +> +> ;; Set the header line to the subject of the first message. +> - (setq header-line-format (notmuch-show-strip-re (notmuch-show-get-subject))) +> + (setq header-line-format (notmuch-sanitize (notmuch-show-strip-re (notmuch-show-get-subject)))) +> +> (run-hooks 'notmuch-show-hook)))) +> +> diff --git a/emacs/notmuch.el b/emacs/notmuch.el +> index c47c6b5..44cd2fd 100644 +> --- a/emacs/notmuch.el +> +++ b/emacs/notmuch.el +> @@ -791,11 +791,13 @@ non-authors is found, assume that all of the authors match." +> (plist-get result :total))) +> 'face 'notmuch-search-count))) +> ((string-equal field "subject") +> - (insert (propertize (format format-string (plist-get result :subject)) +> + (insert (propertize (format format-string +> + (notmuch-sanitize (plist-get result :subject))) +> 'face 'notmuch-search-subject))) +> +> ((string-equal field "authors") +> - (notmuch-search-insert-authors format-string (plist-get result :authors))) +> + (notmuch-search-insert-authors +> + format-string (notmuch-sanitize (plist-get result :authors)))) +> +> ((string-equal field "tags") +> (let ((tags (plist-get result :tags))) +> -- +> 1.8.4.rc3 +> +> _______________________________________________ +> notmuch mailing list +> notmuch@notmuchmail.org +> http://notmuchmail.org/mailman/listinfo/notmuch -- 2.26.2