1 Return-Path: <pieter@praet.org>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 1A6C6431FD4
\r
6 for <notmuch@notmuchmail.org>; Fri, 3 Feb 2012 02:26:30 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5
\r
12 tests=[RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
\r
13 Received: from olra.theworths.org ([127.0.0.1])
\r
14 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
15 with ESMTP id 2vCNlTqpRWvo for <notmuch@notmuchmail.org>;
\r
16 Fri, 3 Feb 2012 02:26:28 -0800 (PST)
\r
17 Received: from mail-ww0-f45.google.com (mail-ww0-f45.google.com
\r
18 [74.125.82.45]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client
\r
19 certificate requested) by olra.theworths.org (Postfix) with ESMTPS id
\r
20 243A0431FC0 for <notmuch@notmuchmail.org>; Fri, 3 Feb 2012 02:26:23 -0800
\r
22 Received: by wgbdt12 with SMTP id dt12so3184622wgb.2
\r
23 for <notmuch@notmuchmail.org>; Fri, 03 Feb 2012 02:26:22 -0800 (PST)
\r
24 Received: by 10.216.138.149 with SMTP id a21mr1530906wej.0.1328264782831;
\r
25 Fri, 03 Feb 2012 02:26:22 -0800 (PST)
\r
26 Received: from localhost ([109.131.13.166])
\r
27 by mx.google.com with ESMTPS id g6sm10951491wig.9.2012.02.03.02.26.22
\r
28 (version=TLSv1/SSLv3 cipher=OTHER);
\r
29 Fri, 03 Feb 2012 02:26:22 -0800 (PST)
\r
30 From: Pieter Praet <pieter@praet.org>
\r
31 To: David Bremner <david@tethera.net>
\r
32 Subject: [PATCH v6 2/3] emacs: quote MML tags in replies
\r
33 Date: Fri, 3 Feb 2012 11:24:08 +0100
\r
34 Message-Id: <1328264649-27346-2-git-send-email-pieter@praet.org>
\r
35 X-Mailer: git-send-email 1.7.8.1
\r
36 In-Reply-To: <87r4yc2p3y.fsf@praet.org>
\r
37 References: <87r4yc2p3y.fsf@praet.org>
\r
39 Content-Type: text/plain; charset=UTF-8
\r
40 Content-Transfer-Encoding: 8bit
\r
41 Cc: Notmuch Mail <notmuch@notmuchmail.org>
\r
42 X-BeenThere: notmuch@notmuchmail.org
\r
43 X-Mailman-Version: 2.1.13
\r
45 List-Id: "Use and development of the notmuch mail system."
\r
46 <notmuch.notmuchmail.org>
\r
47 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
48 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
49 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
50 List-Post: <mailto:notmuch@notmuchmail.org>
\r
51 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
52 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
53 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
54 X-List-Received-Date: Fri, 03 Feb 2012 10:26:30 -0000
\r
56 From: Aaron Ecay <aaronecay@gmail.com>
\r
58 Emacs message-mode uses certain text strings to indicate how to attach
\r
59 files to outgoing mail. If these are present in the text of an email,
\r
60 and a user is tricked into replying to the message, the user’s files
\r
63 Edited-by: Pieter Praet <pieter@praet.org>: Rebased to release branch.
\r
65 NEWS | 11 +++++++++++
\r
66 emacs/notmuch-mua.el | 7 ++++++-
\r
68 3 files changed, 17 insertions(+), 2 deletions(-)
\r
70 diff --git a/NEWS b/NEWS
\r
71 index 3d2c2a8..a089e67 100644
\r
74 @@ -11,6 +11,17 @@ Fix error handling in python bindings.
\r
75 exceptions to indicate the error condition. Any subsequent calls
\r
76 into libnotmuch caused segmentation faults.
\r
78 +Quote MML tags in replies
\r
80 + MML tags are text codes that Emacs uses to indicate attachments
\r
81 + (among other things) in messages being composed. The Emacs
\r
82 + interface did not quote MML tags in the quoted text of a reply.
\r
83 + User could be tricked into replying to a maliciously formatted
\r
84 + message and not editing out the MML tags from the quoted text. This
\r
85 + could lead to files from the user's machine being attached to the
\r
86 + outgoing message. The Emacs interface now quotes these tags in
\r
87 + reply text, so that they do not effect outgoing messages.
\r
90 Notmuch 0.11 (2012-01-13)
\r
91 =========================
\r
92 diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
\r
93 index 7114e48..3e93d7c 100644
\r
94 --- a/emacs/notmuch-mua.el
\r
95 +++ b/emacs/notmuch-mua.el
\r
96 @@ -111,7 +111,12 @@ list."
\r
98 (set-buffer-modified-p nil)
\r
100 - (message-goto-body))
\r
101 + (message-goto-body)
\r
102 + ;; Original message may contain (malicious) MML tags. We must
\r
103 + ;; properly quote them in the reply. Note that using `point-max'
\r
104 + ;; instead of `mark' here is wrong. The buffer may include user's
\r
105 + ;; signature which should not be MML-quoted.
\r
106 + (mml-quote-region (point) (point-max)))
\r
108 (defun notmuch-mua-forward-message ()
\r
110 diff --git a/test/emacs b/test/emacs
\r
111 index db8e4ad..2d066ed 100755
\r
114 @@ -274,7 +274,6 @@ EOF
\r
115 test_expect_equal_file OUTPUT EXPECTED
\r
117 test_begin_subtest "Quote MML tags in reply"
\r
118 -test_subtest_known_broken
\r
119 message_id='test-emacs-mml-quoting@message.id'
\r
120 add_message [id]="$message_id" \
\r
121 "[subject]='$test_subtest_name'" \
\r