From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Francesco =?UTF-8?Q?Potort=C3=AC?= Newsgroups: gmane.emacs.bugs Subject: bug#47616: 27.1; hardening mail-envelope-from Date: Tue, 06 Apr 2021 14:42:41 +0200 Organization: The GNU project Message-ID: <87v98z60u4.fsf@tucano.isti.cnr.it> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="37930"; mail-complaints-to="usenet@ciao.gmane.io" To: 47616@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 06 14:45:12 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lTl4x-0009j0-Oc for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 06 Apr 2021 14:45:11 +0200 Original-Received: from localhost ([::1]:43776 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTl4w-0005z1-Oo for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 06 Apr 2021 08:45:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40852) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTl2s-0004Nc-PV for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:43:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:56185) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTl2s-0005gx-Hs for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:43:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTl2s-00047V-F1 for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:43:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Francesco =?UTF-8?Q?Potort=C3=AC?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 06 Apr 2021 12:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47616 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.161771297615824 (code B ref -1); Tue, 06 Apr 2021 12:43:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 12:42:56 +0000 Original-Received: from localhost ([127.0.0.1]:39498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTl2m-00047A-7U for submit@debbugs.gnu.org; Tue, 06 Apr 2021 08:42:56 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:41588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTl2j-000471-Tc for submit@debbugs.gnu.org; Tue, 06 Apr 2021 08:42:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40830) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTl2j-0004K9-Lr for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:42:53 -0400 Original-Received: from smtp-clients1.isti.cnr.it ([146.48.28.36]:45836) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTl2g-0005bj-Ep for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:42:53 -0400 Original-Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) (Authenticated sender: pot) by smtp-clients1.isti.cnr.it (Postfix) with ESMTPSA id 63D67B0820 for ; Tue, 6 Apr 2021 14:42:44 +0200 (CEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.0 at smtp-out.isti.cnr.it X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 Received-SPF: softfail client-ip=146.48.28.36; envelope-from=pot@gnu.org; helo=smtp-clients1.isti.cnr.it X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:203626 Archived-At: in mail-utils.el the function mail-fetch-field thus notes in the doc string: The buffer should be narrowed to just the header, else false matches may be returned from the message body. In fact, both sendmail-send-it and smtp-send-it use mail-envelope-from, which calls mail-fetch-field without narrowing, which in fact causes a false match if: - you forward a message with "From: " at begining of line - message-forward-as-mime is nil - mail-specify-envelope-from is t - mail-envelope-from is 'header In this case, both sendmail-send-it and smptmail-send-it try to see if they should set the From: field and the sender, and both get a false match from mail-envelope-from. Apparently, the problem with sendmail-send-it is corrected later in the code (I don't know where) so the mail is sent correctly, which is why I had never realised this until I started using smtpmail-send-it, which sets a wrong From: header copied from the forwarded message. Hardening mail-envelope-from from sendmail.el by narrowing to the headers, as the doc says, corrects the problem that I observed. (defun mail-envelope-from () "Return the envelope mail address to use when sending mail. This function uses `mail-envelope-from'." (or (if (eq mail-envelope-from 'header) (nth 1 (mail-extract-address-components (save-restriction (save-excursion (goto-char (point-max)) (re-search-backward (concat "^" (regexp-quote mail-header-separator) "\n") nil t) (narrow-to-region (point-min) (point)) (mail-fetch-field "From"))))) mail-envelope-from) user-mail-address)) This introduces a small semantic change for the meaning of the mail-envelope-from variable. Currently, the docs says: If non-nil, designate the envelope-from address when sending mail. This only has an effect if `mail-specify-envelope-from’ is non-nil. The value should be either a string, or the symbol `header’ (in which case the contents of the "From" header of the message being sent is used), or nil (in which case the value of ‘user-mail-address’ is used). The last two lines should be instead: ... being sent is used, if one exists). If the value is nil, or if it is `header' and no "From" header is found in the message, the value of ‘user-mail-address’ is used.