Return-Path: <pieter@praet.org>
X-Original-To: notmuch@notmuchmail.org
Delivered-To: notmuch@notmuchmail.org
Received: from localhost (localhost [127.0.0.1])
	by olra.theworths.org (Postfix) with ESMTP id 1A6C6431FD4
	for <notmuch@notmuchmail.org>; Fri,  3 Feb 2012 02:26:30 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5
	tests=[RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
Received: from olra.theworths.org ([127.0.0.1])
	by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 2vCNlTqpRWvo for <notmuch@notmuchmail.org>;
	Fri,  3 Feb 2012 02:26:28 -0800 (PST)
Received: from mail-ww0-f45.google.com (mail-ww0-f45.google.com
 [74.125.82.45])	(using TLSv1 with cipher RC4-SHA (128/128 bits))	(No client
 certificate requested)	by olra.theworths.org (Postfix) with ESMTPS id
 243A0431FC0	for <notmuch@notmuchmail.org>; Fri,  3 Feb 2012 02:26:23 -0800
 (PST)
Received: by wgbdt12 with SMTP id dt12so3184622wgb.2
	for <notmuch@notmuchmail.org>; Fri, 03 Feb 2012 02:26:22 -0800 (PST)
Received: by 10.216.138.149 with SMTP id a21mr1530906wej.0.1328264782831;
	Fri, 03 Feb 2012 02:26:22 -0800 (PST)
Received: from localhost ([109.131.13.166])
	by mx.google.com with ESMTPS id g6sm10951491wig.9.2012.02.03.02.26.22
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 03 Feb 2012 02:26:22 -0800 (PST)
From: Pieter Praet <pieter@praet.org>
To: David Bremner <david@tethera.net>
Subject: [PATCH v6 2/3] emacs: quote MML tags in replies
Date: Fri,  3 Feb 2012 11:24:08 +0100
Message-Id: <1328264649-27346-2-git-send-email-pieter@praet.org>
X-Mailer: git-send-email 1.7.8.1
In-Reply-To: <87r4yc2p3y.fsf@praet.org>
References: <87r4yc2p3y.fsf@praet.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: Notmuch Mail <notmuch@notmuchmail.org>
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Use and development of the notmuch mail system."
	<notmuch.notmuchmail.org>
List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
	<mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 10:26:30 -0000

From: Aaron Ecay <aaronecay@gmail.com>

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.

Edited-by: Pieter Praet <pieter@praet.org>:  Rebased to release branch.
---
 NEWS                 |   11 +++++++++++
 emacs/notmuch-mua.el |    7 ++++++-
 test/emacs           |    1 -
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3d2c2a8..a089e67 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,17 @@ Fix error handling in python bindings.
   exceptions to indicate the error condition. Any subsequent calls
   into libnotmuch caused segmentation faults.
 
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.
+  User could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text.  This
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they do not effect outgoing messages.
+
 
 Notmuch 0.11 (2012-01-13)
 =========================
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 7114e48..3e93d7c 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -111,7 +111,12 @@ list."
     (insert body))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  ;; Original message may contain (malicious) MML tags.  We must
+  ;; properly quote them in the reply.  Note that using `point-max'
+  ;; instead of `mark' here is wrong.  The buffer may include user's
+  ;; signature which should not be MML-quoted.
+  (mml-quote-region (point) (point-max)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index db8e4ad..2d066ed 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
 test_expect_equal_file OUTPUT EXPECTED
 
 test_begin_subtest "Quote MML tags in reply"
-test_subtest_known_broken
 message_id='test-emacs-mml-quoting@message.id'
 add_message [id]="$message_id" \
 	    "[subject]='$test_subtest_name'" \
-- 
1.7.8.1