unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47616: 27.1; hardening mail-envelope-from
@ 2021-04-06 12:42 Francesco Potortì
  2021-04-07 15:05 ` Francesco Potortì
  0 siblings, 1 reply; 2+ messages in thread
From: Francesco Potortì @ 2021-04-06 12:42 UTC (permalink / raw)
  To: 47616

in mail-utils.el the function mail-fetch-field thus notes in the doc
string:

  The buffer should be narrowed to just the header, else false
  matches may be returned from the message body.

In fact, both sendmail-send-it and smtp-send-it use mail-envelope-from,
which calls mail-fetch-field without narrowing, which in fact causes a
false match if:

- you forward a message with "From: " at begining of line
- message-forward-as-mime is nil
- mail-specify-envelope-from is t
- mail-envelope-from is 'header

In this case, both sendmail-send-it and smptmail-send-it try to see if
they should set the From: field and the sender, and both get a false
match from mail-envelope-from.

Apparently, the problem with sendmail-send-it is corrected later in the
code (I don't know where) so the mail is sent correctly, which is why I
had never realised this until I started using smtpmail-send-it, which
sets a wrong From: header copied from the forwarded message.

Hardening mail-envelope-from from sendmail.el by narrowing to the
headers, as the doc says, corrects the problem that I observed.

(defun mail-envelope-from ()
  "Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
  (or (if (eq mail-envelope-from 'header)
	  (nth 1 (mail-extract-address-components
		  (save-restriction
		    (save-excursion
		      (goto-char (point-max))
		      (re-search-backward
		       (concat "^" (regexp-quote mail-header-separator) "\n")
		       nil t)
		      (narrow-to-region (point-min) (point))
		      (mail-fetch-field "From")))))
	mail-envelope-from)
      user-mail-address))

This introduces a small semantic change for the meaning of the
mail-envelope-from variable.  Currently, the docs says:

If non-nil, designate the envelope-from address when sending mail.
This only has an effect if `mail-specify-envelope-from’ is non-nil.
The value should be either a string, or the symbol `header’ (in
which case the contents of the "From" header of the message
being sent is used), or nil (in which case the value of
‘user-mail-address’ is used).

The last two lines should be instead:

...
being sent is used, if one exists).  If the value is nil, or if it is
`header' and no "From" header is found in the message, the value of
‘user-mail-address’ is used.





^ permalink raw reply	[flat|nested] 2+ messages in thread

* bug#47616: 27.1; hardening mail-envelope-from
  2021-04-06 12:42 bug#47616: 27.1; hardening mail-envelope-from Francesco Potortì
@ 2021-04-07 15:05 ` Francesco Potortì
  0 siblings, 0 replies; 2+ messages in thread
From: Francesco Potortì @ 2021-04-07 15:05 UTC (permalink / raw)
  To: 47616

>(defun mail-envelope-from ()
>  "Return the envelope mail address to use when sending mail.
>This function uses `mail-envelope-from'."
>  (or (if (eq mail-envelope-from 'header)
>	  (nth 1 (mail-extract-address-components
>		  (save-restriction
>		    (save-excursion
>		      (goto-char (point-max))
>		      (re-search-backward
>		       (concat "^" (regexp-quote mail-header-separator) "\n")
>		       nil t)
>		      (narrow-to-region (point-min) (point))
>		      (mail-fetch-field "From")))))
>	mail-envelope-from)
>      user-mail-address))

This one is better (I had forgotten about mail-header-end)

(require 'sendmail)
(defun mail-envelope-from ()
  "Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
  (or (if (eq mail-envelope-from 'header)
	  (let ((from-field (save-restriction
			      (narrow-to-region (point-min) (mail-header-end))
			      (mail-fetch-field "From"))))
	    (when from-field
	      (nth 1 (mail-extract-address-components from-field))))
	mail-envelope-from)
      user-mail-address))





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-04-07 15:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-06 12:42 bug#47616: 27.1; hardening mail-envelope-from Francesco Potortì
2021-04-07 15:05 ` Francesco Potortì

unofficial mirror of bug-gnu-emacs@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/emacs-bugs/0 emacs-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 emacs-bugs emacs-bugs/ https://yhetil.org/emacs-bugs \
		bug-gnu-emacs@gnu.org
	public-inbox-index emacs-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.emacs.bugs
	nntp://news.gmane.io/gmane.emacs.bugs


code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/emacs.git

AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git