MIME-Version: 1.0
In-Reply-To: <87k42momyi.fsf@awakening.csail.mit.edu>
References: <87fwdptbir.fsf@dehydrator.spatula.rdu.redhat.com>
	<1330849538-24558-1-git-send-email-jani@nikula.org>
	<87k42momyi.fsf@awakening.csail.mit.edu>
Date: Thu, 15 Mar 2012 08:33:21 +0200
Message-ID:
 <CAB+hUn8FJ-=CA1JZoYMzH0-E+S9Y75TPqgb1w6YKFuU6=S2Xqw@mail.gmail.com>
Subject: Re: [PATCH] emacs: fix MML quoting in replies
From: Jani Nikula <jani@nikula.org>
To: Austin Clements <amdragon@mit.edu>
Content-Type: multipart/alternative; boundary=e89a8ff2437db686d604bb424428
Cc: notmuch@notmuchmail.org
Precedence: list

--e89a8ff2437db686d604bb424428
Content-Type: text/plain; charset=UTF-8

On Mar 15, 2012 12:08 AM, "Austin Clements" <amdragon@mit.edu> wrote:
>
> On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> > The reply MML quoting added in commit ae438cc unintentionally MML
> > quotes also the signature/encryption MML tags added via
> > message-setup-hook, causing the reply not to be signed/encrypted.
> >
> > MML quote just the original message in the temp buffer before
> > inserting it to the message buffer, to not interfere with message mode
> > hooks or message construction in general.
> >
> > See [1] and [2] for bug reports.
> >
> > Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
> >
> > [1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
> > [2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".
> >
> > Signed-off-by: Jani Nikula <jani@nikula.org>
> > ---
> >  emacs/notmuch-mua.el |   10 ++++------
> >  1 files changed, 4 insertions(+), 6 deletions(-)
> >
> > diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> > index 4be7c13..13244eb 100644
> > --- a/emacs/notmuch-mua.el
> > +++ b/emacs/notmuch-mua.el
> > @@ -95,6 +95,9 @@ list."
> >             (goto-char (point-min))
> >             (setq headers (mail-header-extract)))))
> >        (forward-line 1)
> > +      ;; Original message may contain (malicious) MML tags. We must
> > +      ;; properly quote them in the reply.
> > +      (mml-quote-region (point) (point-max))
>
> Under what circumstances can the (re-search-forward "^$" nil t) above
> this code fail?  If it does fail, is it possible for the (forward-line 1)
> to move past an adversary-controlled line of text and fail to quote that
> line?

It doesn't matter. The quoting is done between point and point-max, and the
message body to cite is extracted right after quoting using: (setq body
(buffer-substring (point) (point-max)))).

BR,
Jani.

--e89a8ff2437db686d604bb424428
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p><br>
On Mar 15, 2012 12:08 AM, &quot;Austin Clements&quot; &lt;<a href=3D"mailto=
:amdragon@mit.edu">amdragon@mit.edu</a>&gt; wrote:<br>
&gt;<br>
&gt; On Sun, =C2=A04 Mar 2012 10:25:38 +0200, Jani Nikula &lt;<a href=3D"ma=
ilto:jani@nikula.org">jani@nikula.org</a>&gt; wrote:<br>
&gt; &gt; The reply MML quoting added in commit ae438cc unintentionally MML=
<br>
&gt; &gt; quotes also the signature/encryption MML tags added via<br>
&gt; &gt; message-setup-hook, causing the reply not to be signed/encrypted.=
<br>
&gt; &gt;<br>
&gt; &gt; MML quote just the original message in the temp buffer before<br>
&gt; &gt; inserting it to the message buffer, to not interfere with message=
 mode<br>
&gt; &gt; hooks or message construction in general.<br>
&gt; &gt;<br>
&gt; &gt; See [1] and [2] for bug reports.<br>
&gt; &gt;<br>
&gt; &gt; Thanks to Tim Bielawa &lt;<a href=3D"mailto:tbielawa@redhat.com">=
tbielawa@redhat.com</a>&gt; for testing.<br>
&gt; &gt;<br>
&gt; &gt; [1] id:&quot;<a href=3D"mailto:87hay78x6l.fsf@wyzanski.jamesvasil=
e.com">87hay78x6l.fsf@wyzanski.jamesvasile.com</a>&quot;<br>
&gt; &gt; [2] id:&quot;<a href=3D"mailto:1330812262-28272-1-git-send-email-=
tbielawa@redhat.com">1330812262-28272-1-git-send-email-tbielawa@redhat.com<=
/a>&quot;.<br>
&gt; &gt;<br>
&gt; &gt; Signed-off-by: Jani Nikula &lt;<a href=3D"mailto:jani@nikula.org"=
>jani@nikula.org</a>&gt;<br>
&gt; &gt; ---<br>
&gt; &gt; =C2=A0emacs/notmuch-mua.el | =C2=A0 10 ++++------<br>
&gt; &gt; =C2=A01 files changed, 4 insertions(+), 6 deletions(-)<br>
&gt; &gt;<br>
&gt; &gt; diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el<br>
&gt; &gt; index 4be7c13..13244eb 100644<br>
&gt; &gt; --- a/emacs/notmuch-mua.el<br>
&gt; &gt; +++ b/emacs/notmuch-mua.el<br>
&gt; &gt; @@ -95,6 +95,9 @@ list.&quot;<br>
&gt; &gt; =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (goto-char (point-min))=
<br>
&gt; &gt; =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (setq headers (mail-hea=
der-extract)))))<br>
&gt; &gt; =C2=A0 =C2=A0 =C2=A0 =C2=A0(forward-line 1)<br>
&gt; &gt; + =C2=A0 =C2=A0 =C2=A0;; Original message may contain (malicious)=
 MML tags. We must<br>
&gt; &gt; + =C2=A0 =C2=A0 =C2=A0;; properly quote them in the reply.<br>
&gt; &gt; + =C2=A0 =C2=A0 =C2=A0(mml-quote-region (point) (point-max))<br>
&gt;<br>
&gt; Under what circumstances can the (re-search-forward &quot;^$&quot; nil=
 t) above<br>
&gt; this code fail? =C2=A0If it does fail, is it possible for the (forward=
-line 1)<br>
&gt; to move past an adversary-controlled line of text and fail to quote th=
at<br>
&gt; line?</p>
<p>It doesn&#39;t matter. The quoting is done between point and point-max, =
and the message body to cite is extracted right after quoting using: (setq =
body (buffer-substring (point) (point-max)))).</p>
<p>BR,<br>
Jani.<br>
</p>

--e89a8ff2437db686d604bb424428--