From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.bugs Subject: bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links Date: Wed, 15 Jun 2022 23:14:51 +0700 Message-ID: <2583526c-c087-f58a-09cd-6faaf58fa724@gmail.com> References: <87tu8ozqev.fsf@gmail.com> <83pmjctter.fsf@gnu.org> <87zgifyzur.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="23507"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Cc: larsi@gnus.org, Eli Zaretskii , 55926@debbugs.gnu.org, ignaciocasso@hotmail.com To: Robert Pluim Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Jun 15 18:43:13 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o1W6r-0005zk-6d for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 15 Jun 2022 18:43:13 +0200 Original-Received: from localhost ([::1]:41990 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o1W6q-0007Zy-62 for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 15 Jun 2022 12:43:12 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49988) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o1VgY-0005MX-8u for bug-gnu-emacs@gnu.org; Wed, 15 Jun 2022 12:16:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:45762) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o1VgX-0008BG-UW for bug-gnu-emacs@gnu.org; Wed, 15 Jun 2022 12:16:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1o1VgX-0006P6-QD for bug-gnu-emacs@gnu.org; Wed, 15 Jun 2022 12:16:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Max Nikulin Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 15 Jun 2022 16:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55926 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: moreinfo Original-Received: via spool by 55926-submit@debbugs.gnu.org id=B55926.165530970224502 (code B ref 55926); Wed, 15 Jun 2022 16:16:01 +0000 Original-Received: (at 55926) by debbugs.gnu.org; 15 Jun 2022 16:15:02 +0000 Original-Received: from localhost ([127.0.0.1]:39657 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1Vfa-0006Mz-0M for submit@debbugs.gnu.org; Wed, 15 Jun 2022 12:15:02 -0400 Original-Received: from mail-lf1-f54.google.com ([209.85.167.54]:41631) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o1VfX-0006MZ-SJ for 55926@debbugs.gnu.org; Wed, 15 Jun 2022 12:15:01 -0400 Original-Received: by mail-lf1-f54.google.com with SMTP id 20so19665663lfz.8 for <55926@debbugs.gnu.org>; Wed, 15 Jun 2022 09:14:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=X5KKH8g2yOw1uHUf9qVGUp9p8YN9rtc2UCHS9yaAqm8=; b=AIas4c9/bCnZkaSxq5Le/O7GCZUU1zqKThUKoxzB3QwtNWK4QWjKz1dkzTfRiJha9D 7vfb+JDfYRm0cf/JJaHxxDgJdyguIaxC3v79ab+CjBJJ71TWvW4afB8hsBc0ydDiv/il uzYc/GtYzibgTzGydkasueKV1T4NzFyYXOap6PGwX1unWTtP0/CffTkdMlDiLJ2Yv+rY P0s6fZknbQwOGsTHdd7ljuV4yduxy8stily/kxbPjb8I1LEsIRsX1bIM2MtP3XgMD7an 63PPIfQW+h0UA5lGNWrrpFTOl1cysdXdBvQTEU5ED4OIFgPfW6EeJayah87Drh0EBeQU eBig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:message-id:date:mime-version:user-agent :subject:content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=X5KKH8g2yOw1uHUf9qVGUp9p8YN9rtc2UCHS9yaAqm8=; b=46osx13JxyGv02vWejwerCCZclE3at4SDBOTEFDGTZA6rit8dUSkUI2JxSPUP7fJ5g zYdpR4vu4NDqZzVxf9rEFoE2WTMGdH8FJfff3/CHU7ENKm99Gb+EN5MKi+AVi04rhVoa wn61PfgAEL2wpZfKJ07RZevPEjgIseFVo1DryoOxolTF6lftLa6t1tkqprHUfSwzQMXK XYikVKFKboN4M1ch0RAuEjoCzZHhmba3/rrShDz2rAVlWlu0Z+Z9ONIvqmW5+B3rUzSh Z9Z0mo6iEJllTZ+0XJ0wIeKUzEaYMhF2BODZTePsMT9uw+Xt1kBa+XdZPf1p+Yp8gi7Q ycog== X-Gm-Message-State: AJIora+0iL6Nf07WDlsiRS4X4mF3OQjpfKTzl39H+WJ9D2z1k6pb6sYM aqurt3QEGL4kXemwOLJvx+Y= X-Google-Smtp-Source: AGRyM1tMliji+ekIq6D+eN+fVY/j8+LacsNtLa3AcpW9oq01kWlO8X6LYbq/rut1lpnrSB4SeGLMJg== X-Received: by 2002:ac2:44ce:0:b0:47d:ace7:f43e with SMTP id d14-20020ac244ce000000b0047dace7f43emr169368lfm.158.1655309693626; Wed, 15 Jun 2022 09:14:53 -0700 (PDT) Original-Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id j26-20020a19f51a000000b0047255d21166sm1844128lfb.149.2022.06.15.09.14.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jun 2022 09:14:53 -0700 (PDT) Content-Language: en-US In-Reply-To: <87zgifyzur.fsf@gmail.com> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:234592 Archived-At: On 14/06/2022 23:27, Robert Pluim wrote: >>>>>> On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin said: > > Max> Unsure if it is possible to do something really weird through a > Max> specially crafted mailto: link (by adding some special headers), but > Max> it looks like it is possible to add something that sender may not like > Max> to see in its message. So it is better to sanitize input link > Max> parameters that are used to generate headers. > > Iʼm not aware of any code in Emacs that calls `eval' or similar on > parameters passed to `browse-url' or `message-mailto', but you never > know. Donʼt use Emacs to connect to your bank's website :-) Actually I did not thought about eval as elisp. I do not like shell command in emacsclient-mail.desktop, but this time I wrote about adding something suspicious to email messages. However there no way to protect against honeypots as Cc aimed to put sender into spammer blocking lists. > I think Lars' changes here are enough. I thank Lars for the fix. There is e.g. References header for the same purpose of proper threading, but it may contain list of Message-IDs and there is no example of improper format at some site. I expected something more general e.g. similar to file local variables that may be safe or not and sanitizer map for particular headers. It may be postponed till next bug report.