1 Return-Path: <aaronecay@gmail.com>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 8FA5E429E36
\r
6 for <notmuch@notmuchmail.org>; Sat, 28 Jan 2012 22:07:34 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5
\r
12 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
\r
13 FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
\r
14 Received: from olra.theworths.org ([127.0.0.1])
\r
15 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
16 with ESMTP id XMrl3J+hTthN for <notmuch@notmuchmail.org>;
\r
17 Sat, 28 Jan 2012 22:07:33 -0800 (PST)
\r
18 Received: from mail-qw0-f46.google.com (mail-qw0-f46.google.com
\r
19 [209.85.216.46]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
\r
20 (No client certificate requested)
\r
21 by olra.theworths.org (Postfix) with ESMTPS id 9C34F429E31
\r
22 for <notmuch@notmuchmail.org>; Sat, 28 Jan 2012 22:07:33 -0800 (PST)
\r
23 Received: by qadc10 with SMTP id c10so1950750qad.5
\r
24 for <notmuch@notmuchmail.org>; Sat, 28 Jan 2012 22:07:32 -0800 (PST)
\r
25 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
\r
26 h=from:to:subject:date:message-id:x-mailer:in-reply-to:references
\r
27 :mime-version:content-type:content-transfer-encoding;
\r
28 bh=1LHl+nDk6Tk9/5HYWAaNSUExatoSMxytak5m0/ZG2mw=;
\r
29 b=bhgX0fdu4jjHSn7gSFiJ738y0kYF0xQp2uGKHoM+5VuGDli6vHHZKhEU1FNEatjiqT
\r
30 X0hUfKz8sLuNLSbpADUEuVTJs7uzbYHZNfqM8foMypE48KekuNSYeTUHt8dseahteZgT
\r
31 eRn1dTh08LL5zxdh5dO8inrXfJTrZUqEyud/Y=
\r
32 Received: by 10.224.10.19 with SMTP id n19mr15517854qan.68.1327817252835;
\r
33 Sat, 28 Jan 2012 22:07:32 -0800 (PST)
\r
34 Received: from localhost.localdomain (c-68-80-94-73.hsd1.pa.comcast.net.
\r
36 by mx.google.com with ESMTPS id dm7sm26381298qab.5.2012.01.28.22.07.31
\r
37 (version=TLSv1/SSLv3 cipher=OTHER);
\r
38 Sat, 28 Jan 2012 22:07:32 -0800 (PST)
\r
39 From: Aaron Ecay <aaronecay@gmail.com>
\r
40 To: notmuch@notmuchmail.org
\r
41 Subject: [PATCH 2/2] emacs: Quote MML tags in replies
\r
42 Date: Sun, 29 Jan 2012 01:07:08 -0500
\r
43 Message-Id: <1327817229-18124-2-git-send-email-aaronecay@gmail.com>
\r
44 X-Mailer: git-send-email 1.7.9
\r
45 In-Reply-To: <1327817229-18124-1-git-send-email-aaronecay@gmail.com>
\r
46 References: <20120126191654.GF1940@mit.edu>
\r
47 <1327817229-18124-1-git-send-email-aaronecay@gmail.com>
\r
49 Content-Type: text/plain; charset=UTF-8
\r
50 Content-Transfer-Encoding: 8bit
\r
51 X-BeenThere: notmuch@notmuchmail.org
\r
52 X-Mailman-Version: 2.1.13
\r
54 List-Id: "Use and development of the notmuch mail system."
\r
55 <notmuch.notmuchmail.org>
\r
56 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
57 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
58 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
59 List-Post: <mailto:notmuch@notmuchmail.org>
\r
60 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
61 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
62 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
63 X-List-Received-Date: Sun, 29 Jan 2012 06:07:34 -0000
\r
65 Emacs message-mode uses certain text strings to indicate how to attach
\r
66 files to outgoing mail. If these are present in the text of an email,
\r
67 and a user is tricked into replying to the message, the user’s files
\r
70 NEWS | 18 ++++++++++++++++++
\r
71 emacs/notmuch-mua.el | 3 ++-
\r
73 3 files changed, 20 insertions(+), 2 deletions(-)
\r
75 diff --git a/NEWS b/NEWS
\r
76 index 2acdce5..c8b90c7 100644
\r
79 @@ -56,6 +56,24 @@ Compatibility with GMime 2.6
\r
80 However, a bug in current GMime 2.6 causes notmuch not to report
\r
81 signatures where the signer key is unavailable (GNOME bug 668085).
\r
83 +Notmuch 0.11.1 (2012-xx-xx)
\r
84 +===========================
\r
89 +Quote MML tags in replies
\r
91 + MML tags are text codes that Emacs uses to indicate attachments
\r
92 + (among other things) in messages being composed. The Emacs
\r
93 + interface did not quote MML tags in the quoted text of a reply. If
\r
94 + a user could be tricked into replying to a maliciously formatted
\r
95 + message and not editing out the MML tags from the quoted text, this
\r
96 + could lead to files from the user's machine being attached to the
\r
97 + outgoing message. The Emacs interface now quotes these tags in
\r
98 + reply text, so that they cannot have an effect on the outgoing
\r
101 Notmuch 0.11 (2012-01-13)
\r
102 =========================
\r
104 diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
\r
105 index 023645e..32c376d 100644
\r
106 --- a/emacs/notmuch-mua.el
\r
107 +++ b/emacs/notmuch-mua.el
\r
108 @@ -116,7 +116,8 @@ list."
\r
110 (set-buffer-modified-p nil)
\r
112 - (message-goto-body))
\r
113 + (message-goto-body)
\r
114 + (mml-quote-region (point) (mark)))
\r
116 (defun notmuch-mua-forward-message ()
\r
118 diff --git a/test/emacs b/test/emacs
\r
119 index a57513a..affcca4 100755
\r
122 @@ -274,7 +274,6 @@ EOF
\r
123 test_expect_equal_file OUTPUT EXPECTED
\r
125 test_begin_subtest "Quote MML tags on reply"
\r
126 -test_subtest_known_broken
\r
127 add_message '[from]="1337 h4xor <test@test.com>"' \
\r
128 '[to]="Unsuspecting rube <luser@securityhole.com>"' \
\r
129 '[subject]="hackety hack hack"' \
\r