Return-Path: <amdragon@mit.edu>
X-Original-To: notmuch@notmuchmail.org
Delivered-To: notmuch@notmuchmail.org
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id 26323431FAF
	for <notmuch@notmuchmail.org>; Fri, 11 Oct 2013 06:53:55 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5
	tests=[RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id E7NuJZOKdixg for <notmuch@notmuchmail.org>;
	Fri, 11 Oct 2013 06:53:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu
	[18.9.25.14])
	by olra.theworths.org (Postfix) with ESMTP id BFF62431FAE
	for <notmuch@notmuchmail.org>; Fri, 11 Oct 2013 06:53:48 -0700 (PDT)
X-AuditID: 1209190e-b7f828e0000009cf-44-525802ecb503
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39])
	by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP
	id A3.32.02511.CE208525; Fri, 11 Oct 2013 09:53:48 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id r9BDrjx0010092; 
	Fri, 11 Oct 2013 09:53:46 -0400
Received: from drake.dyndns.org
	(216-15-114-40.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com
	[216.15.114.40]) (authenticated bits=0)
	(User authenticated as amdragon@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r9BDrhku029569
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT);
	Fri, 11 Oct 2013 09:53:44 -0400
Received: from amthrax by drake.dyndns.org with local (Exim 4.77)
	(envelope-from <amdragon@mit.edu>)
	id 1VUd9y-0003jS-Ha; Fri, 11 Oct 2013 09:53:42 -0400
From: Austin Clements <amdragon@MIT.EDU>
To: notmuch@notmuchmail.org
Subject: [PATCH WIP] emacs: Sanitize authors and subjects in search and show
Date: Fri, 11 Oct 2013 09:53:39 -0400
Message-Id: <1381499619-14219-1-git-send-email-amdragon@mit.edu>
X-Mailer: git-send-email 1.8.4.rc3
X-Brightmail-Tracker:
 H4sIAAAAAAAAA+NgFlrMIsWRmVeSWpSXmKPExsUixG6nrvuGKSLIYGWPsEXTdGeL6zdnMjsw
	edy6/5rd49mqW8wBTFFcNimpOZllqUX6dglcGX/+72EveCBVcaoro4HxlmgXIyeHhICJxMK/
	r9khbDGJC/fWs3UxcnEICexjlOhoXgLlbGSUWDD1EjOEc4dJYtvpx4wQzlxGiRn3LoD1swlo
	SGzbv5wRxBYRkJbYeXc2axcjBwezgLnEzZY4kLCwgI/ErW/XmEFsFgFViV9zvzOB2LwCDhKr
	7h9nhjhDSWLhqW2sExh5FzAyrGKUTcmt0s1NzMwpTk3WLU5OzMtLLdI11svNLNFLTSndxAgK
	C05Jvh2MXw8qHWIU4GBU4uG1YAgPEmJNLCuuzD3EKMnBpCTKa/cHKMSXlJ9SmZFYnBFfVJqT
	WnyIUYKDWUmEt+0vUI43JbGyKrUoHyYlzcGiJM57k8M+SEggPbEkNTs1tSC1CCYrw8GhJMHr
	Dwx/IcGi1PTUirTMnBKENBMHJ8hwHqDhMSA1vMUFibnFmekQ+VOMilLivGUgCQGQREZpHlwv
	LG5fMYoDvSLMmwxSxQOMebjuV0CDmYAGb/8eAjK4JBEhJdXAmGW4rXbCjp5W11g/nmLLe9O7
	OGc6Oxxz37Z2bc+q/zLekicTWf7N3ZR/Ncb/zeOYjXtdZos+j9+k05O4V5r35fGCqPCMFJ9d
	B4/m+x7b3Z6Vea2PwXXJ7cSFB3Rjd/9onMwYlvNQnzXg8AsHNyv3qKsC2f+ex4nZy3Wnzd+8
	akrGEjPVsMYcJZbijERDLeai4kQA03XnbLYCAAA=
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 13:53:55 -0000

Authors and subjects can contain embedded, encoded control characters
like "\n" and "\t" that mess up display.  Transform control characters
into spaces everywhere we display them in search and show.
---

This could obviously use some tests, but I thought I'd get it out
there to see what people thought or if the behavior should be tweaked.

Of course, I can't guarantee that this is all of the places we display
untrusted header text.  I'm really not sure how to make that guarantee
(suggestions welcome).

 emacs/notmuch-lib.el  | 6 ++++++
 emacs/notmuch-show.el | 7 ++++---
 emacs/notmuch.el      | 6 ++++--
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el
index 58f3313..6541282 100644
--- a/emacs/notmuch-lib.el
+++ b/emacs/notmuch-lib.el
@@ -243,6 +243,12 @@ depending on the value of `notmuch-poll-script'."
 	"[No Subject]"
       subject)))
 
+(defun notmuch-sanitize (str)
+  "Sanitize control character in STR.
+
+This includes newlines, tabs, and other funny characters."
+  (replace-regexp-in-string "[[:cntrl:]\x7f\u2028\u2029]+" " " str))
+
 (defun notmuch-escape-boolean-term (term)
   "Escape a boolean term for use in a query.
 
diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el
index 7325792..fa11d98 100644
--- a/emacs/notmuch-show.el
+++ b/emacs/notmuch-show.el
@@ -407,7 +407,8 @@ unchanged ADDRESS if parsing fails."
 message at DEPTH in the current thread."
   (let ((start (point)))
     (insert (notmuch-show-spaces-n (* notmuch-show-indent-messages-width depth))
-	    (notmuch-show-clean-address (plist-get headers :From))
+	    (notmuch-sanitize
+	     (notmuch-show-clean-address (plist-get headers :From)))
 	    " ("
 	    date
 	    ") ("
@@ -417,7 +418,7 @@ message at DEPTH in the current thread."
 
 (defun notmuch-show-insert-header (header header-value)
   "Insert a single header."
-  (insert header ": " header-value "\n"))
+  (insert header ": " (notmuch-sanitize header-value) "\n"))
 
 (defun notmuch-show-insert-headers (headers)
   "Insert the headers of the current message."
@@ -1154,7 +1155,7 @@ function is used."
       (jit-lock-register #'notmuch-show-buttonise-links)
 
       ;; Set the header line to the subject of the first message.
-      (setq header-line-format (notmuch-show-strip-re (notmuch-show-get-subject)))
+      (setq header-line-format (notmuch-sanitize (notmuch-show-strip-re (notmuch-show-get-subject))))
 
       (run-hooks 'notmuch-show-hook))))
 
diff --git a/emacs/notmuch.el b/emacs/notmuch.el
index c47c6b5..44cd2fd 100644
--- a/emacs/notmuch.el
+++ b/emacs/notmuch.el
@@ -791,11 +791,13 @@ non-authors is found, assume that all of the authors match."
 					(plist-get result :total)))
 			'face 'notmuch-search-count)))
    ((string-equal field "subject")
-    (insert (propertize (format format-string (plist-get result :subject))
+    (insert (propertize (format format-string
+				(notmuch-sanitize (plist-get result :subject)))
 			'face 'notmuch-search-subject)))
 
    ((string-equal field "authors")
-    (notmuch-search-insert-authors format-string (plist-get result :authors)))
+    (notmuch-search-insert-authors
+     format-string (notmuch-sanitize (plist-get result :authors))))
 
    ((string-equal field "tags")
     (let ((tags (plist-get result :tags)))
-- 
1.8.4.rc3