From f78d9fef1ae1a33914c7041efaf567b4dd815fd2 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Aug 2016 19:35:17 +2000 Subject: [PATCH] [PATCH v2] Omit User-Agent: header by default --- e4/98764ead917674ecf7e94f0e0d2d3166f9474f | 222 ++++++++++++++++++++++ 1 file changed, 222 insertions(+) create mode 100644 e4/98764ead917674ecf7e94f0e0d2d3166f9474f diff --git a/e4/98764ead917674ecf7e94f0e0d2d3166f9474f b/e4/98764ead917674ecf7e94f0e0d2d3166f9474f new file mode 100644 index 000000000..4e4a6e4d3 --- /dev/null +++ b/e4/98764ead917674ecf7e94f0e0d2d3166f9474f @@ -0,0 +1,222 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by arlo.cworth.org (Postfix) with ESMTP id 6D20F6DE026C + for ; Mon, 8 Aug 2016 16:53:25 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at cworth.org +X-Spam-Flag: NO +X-Spam-Score: -0.053 +X-Spam-Level: +X-Spam-Status: No, score=-0.053 tagged_above=-999 required=5 + tests=[AWL=-0.053] autolearn=disabled +Received: from arlo.cworth.org ([127.0.0.1]) + by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id hC-1n4sNOto7 for ; + Mon, 8 Aug 2016 16:53:17 -0700 (PDT) +Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) + by arlo.cworth.org (Postfix) with ESMTP id 0AE696DE0188 + for ; Mon, 8 Aug 2016 16:53:17 -0700 (PDT) +Received: from fifthhorseman.net (unknown [38.109.115.130]) + by che.mayfirst.org (Postfix) with ESMTPSA id 0D7A4F98B + for ; Mon, 8 Aug 2016 19:53:15 -0400 (EDT) +Received: by fifthhorseman.net (Postfix, from userid 1000) + id 2712D201E2; Mon, 8 Aug 2016 19:35:17 -0400 (EDT) +From: Daniel Kahn Gillmor +To: Notmuch Mail +Subject: [PATCH v2] Omit User-Agent: header by default +Date: Mon, 8 Aug 2016 19:35:17 -0400 +Message-Id: <1470699317-30598-1-git-send-email-dkg@fifthhorseman.net> +X-Mailer: git-send-email 2.8.1 +In-Reply-To: <874m6uvpe0.fsf@maritornes.cs.unb.ca> +References: <874m6uvpe0.fsf@maritornes.cs.unb.ca> +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.20 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Mon, 08 Aug 2016 23:53:25 -0000 + +The User-Agent: header can be fun and interesting, but it also leaks +quite a bit of information about the user and their software stack. + +This represents a potential security risk (attackers can target the +particular stack) and also an anonymity risk (a user trying to +preserve their anonymity by sending mail from a non-associated account +might reveal quite a lot of information if their choice of mail user +agent is exposed). + +This change also avoids hiding the User-Agent header by default, so +that people who decide they want to send it will at least see it (and +can edit it if they want to) before sending. + +It makes sense to have safer defaults. +--- + emacs/notmuch-mua.el | 4 ++-- + test/T310-emacs.sh | 16 ---------------- + 2 files changed, 2 insertions(+), 18 deletions(-) + +diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el +index 1ca8056..f3a4e5a 100644 +--- a/emacs/notmuch-mua.el ++++ b/emacs/notmuch-mua.el +@@ -62,7 +62,7 @@ disabled: this would result in an incorrect behavior.")) + (const :tag "Compose mail in a new window" new-window) + (const :tag "Compose mail in a new frame" new-frame))) + +-(defcustom notmuch-mua-user-agent-function 'notmuch-mua-user-agent-full ++(defcustom notmuch-mua-user-agent-function nil + "Function used to generate a `User-Agent:' string. If this is + `nil' then no `User-Agent:' will be generated." + :type '(choice (const :tag "No user agent string" nil) +@@ -73,7 +73,7 @@ disabled: this would result in an incorrect behavior.")) + :value notmuch-mua-user-agent-full)) + :group 'notmuch-send) + +-(defcustom notmuch-mua-hidden-headers '("^User-Agent:") ++(defcustom notmuch-mua-hidden-headers nil + "Headers that are added to the `message-mode' hidden headers + list." + :type '(repeat string) +diff --git a/test/T310-emacs.sh b/test/T310-emacs.sh +index 65c1728..202fc3b 100755 +--- a/test/T310-emacs.sh ++++ b/test/T310-emacs.sh +@@ -193,7 +193,6 @@ emacs_deliver_message \ + (kill-whole-line) + (insert "To: user@example.com\n")' + sed \ +- -e s',^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' \ + -e s',^Message-ID: <.*>$,Message-ID: ,' \ + -e s',^\(Content-Type: text/plain\); charset=us-ascii$,\1,' < sent_message >OUTPUT + cat <EXPECTED +@@ -201,7 +200,6 @@ From: Notmuch Test Suite + To: user@example.com + Subject: Testing message sent via SMTP + Date: 01 Jan 2000 12:00:00 -0000 +-User-Agent: Notmuch/XXX Emacs/XXX + Message-ID: + MIME-Version: 1.0 + Content-Type: text/plain +@@ -310,7 +308,6 @@ test_emacs '(let ((message-hidden-headers ''())) + (test-output))' + sed -i -e 's/^In-Reply-To: <.*>$/In-Reply-To: /' OUTPUT + sed -i -e 's/^References: <.*>$/References: /' OUTPUT +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: user@example.com +@@ -318,7 +315,6 @@ Subject: Re: Testing message sent via SMTP + In-Reply-To: + Fcc: ${MAIL_DIR}/sent + References: +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Notmuch Test Suite writes: + +@@ -335,7 +331,6 @@ test_emacs "(let ((message-hidden-headers '())) + (notmuch-test-wait) + (notmuch-search-reply-to-thread) + (test-output))" +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: Sender +@@ -343,7 +338,6 @@ Subject: Re: ${test_subtest_name} + In-Reply-To: <${gen_msg_id}> + Fcc: ${MAIL_DIR}/sent + References: <${gen_msg_id}> +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Sender writes: + +@@ -361,7 +355,6 @@ test_emacs "(let ((message-hidden-headers '())) + (notmuch-test-wait) + (notmuch-search-reply-to-thread) + (test-output))" +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: Sender , someone@example.com +@@ -369,7 +362,6 @@ Subject: Re: ${test_subtest_name} + In-Reply-To: <${gen_msg_id}> + Fcc: ${MAIL_DIR}/sent + References: <${gen_msg_id}> +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Sender writes: + +@@ -382,7 +374,6 @@ test_emacs '(let ((message-hidden-headers ''())) + (notmuch-show "id:20091118002059.067214ed@hikari") + (notmuch-show-reply) + (test-output))' +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: Adrian Perez de Castro , notmuch@notmuchmail.org +@@ -390,7 +381,6 @@ Subject: Re: [notmuch] Introducing myself + In-Reply-To: <20091118002059.067214ed@hikari> + Fcc: ${MAIL_DIR}/sent + References: <20091118002059.067214ed@hikari> +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Adrian Perez de Castro writes: + +@@ -447,7 +437,6 @@ test_emacs '(let ((message-hidden-headers ''())) + (notmuch-show "id:cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a@mail.gmail.com") + (notmuch-show-reply) + (test-output))' +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: Alex Botero-Lowry , notmuch@notmuchmail.org +@@ -455,7 +444,6 @@ Subject: Re: [notmuch] preliminary FreeBSD support + In-Reply-To: + Fcc: ${MAIL_DIR}/sent + References: +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Alex Botero-Lowry writes: + +@@ -521,7 +509,6 @@ test_emacs "(let ((message-hidden-headers '())) + (notmuch-show \"id:${gen_msg_id}\") + (notmuch-show-reply) + (test-output))" +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: +@@ -529,7 +516,6 @@ Subject: Re: Reply within emacs to an html-only message + In-Reply-To: <${gen_msg_id}> + Fcc: ${MAIL_DIR}/sent + References: <${gen_msg_id}> +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Notmuch Test Suite writes: + +@@ -546,7 +532,6 @@ test_emacs "(let ((message-hidden-headers '())) + (notmuch-show \"id:$message_id\") + (notmuch-show-reply) + (test-output))" +-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT + cat <EXPECTED + From: Notmuch Test Suite + To: +@@ -554,7 +539,6 @@ Subject: Re: Quote MML tags in reply + In-Reply-To: + Fcc: ${MAIL_DIR}/sent + References: +-User-Agent: Notmuch/XXX Emacs/XXX + --text follows this line-- + Notmuch Test Suite writes: + +-- +2.8.1 + -- 2.26.2