unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
@ 2022-06-12 11:44 Ignacio Casso
  2022-06-13 12:34 ` Lars Ingebrigtsen
  2022-06-13 12:41 ` Robert Pluim
  0 siblings, 2 replies; 11+ messages in thread
From: Ignacio Casso @ 2022-06-12 11:44 UTC (permalink / raw)
  To: 55926; +Cc: manikulin, larsi

Hello,

I've recently replied to an email in an org mail list thread using the
"Reply To" button in lists.gnu.org/archive/..., and a reader (Max, in
CC) brought to my attention that the thread was broken in Thunderbird
and that it was because the In-Reply-To field was not normalized and had
not angle brackets around the message id.

He suggested me to report it as a mu4e bug, but mu4e is built in top of
message.el, and after disabling mu4e and trying the same with message.el
I got the same result, so I guess it's actually an Emacs bug.

I saw that Lars was the author of message.el so I added him in CC too.

Sorry if my report is not clear enough, or if the bug is actually in the
website reply button, I don't really know much about email technical
details.

To reproduce the bug, you can follow these steps:

1) configure Emacs to open mail links (I don't
remember the exact steps to do so now, but I can check it out),

2) visit
https://lists.gnu.org/archive/html/emacs-orgmode/2022-06/msg00226.html
with your browser

3) Click the button that says "reply via email to Ignacio Casso" at the
end of the message.

4) In the email compose buffer, the In-Reply-To field will look like
this:

In-Reply-To: 
DB6PR0601MB208724FE4A1EB6D98A176F03C6A99@DB6PR0601MB2087.eurprd06.prod.outlook.com

but it should look like this:

In-Reply-To: 
<DB6PR0601MB208724FE4A1EB6D98A176F03C6A99@DB6PR0601MB2087.eurprd06.prod.outlook.com>


Best regards,

Ignacio






^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-12 11:44 bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links Ignacio Casso
@ 2022-06-13 12:34 ` Lars Ingebrigtsen
  2022-06-13 13:02   ` Ignacio Casso
  2022-06-13 12:41 ` Robert Pluim
  1 sibling, 1 reply; 11+ messages in thread
From: Lars Ingebrigtsen @ 2022-06-13 12:34 UTC (permalink / raw)
  To: Ignacio Casso; +Cc: manikulin, 55926

Ignacio Casso <ignaciocasso@hotmail.com> writes:

> 1) configure Emacs to open mail links (I don't
> remember the exact steps to do so now, but I can check it out),

Yes, that would be helpful to allow reproducing the problem.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-12 11:44 bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links Ignacio Casso
  2022-06-13 12:34 ` Lars Ingebrigtsen
@ 2022-06-13 12:41 ` Robert Pluim
  2022-06-13 13:17   ` Ignacio Casso
  2022-06-13 16:14   ` Max Nikulin
  1 sibling, 2 replies; 11+ messages in thread
From: Robert Pluim @ 2022-06-13 12:41 UTC (permalink / raw)
  To: Ignacio Casso; +Cc: manikulin, 55926, larsi

>>>>> On Sun, 12 Jun 2022 13:44:31 +0200, Ignacio Casso <ignaciocasso@hotmail.com> said:


    Ignacio> Sorry if my report is not clear enough, or if the bug is actually in the
    Ignacio> website reply button, I don't really know much about email technical
    Ignacio> details.

I took a look at `message-mailto', and it pretty much just inserts
what's been passwed to it, so I suspect itʼs an issue with the website
reply button. One way to check is to put a call to `message' in
`message-mailto' just after the call to `interactive' to log exactly
what's being sent to emacs.

Something like

(message "message-mailto received '%s'" url)

and then take a look in "*Messages*"

Thanks

Robert
-- 





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 12:34 ` Lars Ingebrigtsen
@ 2022-06-13 13:02   ` Ignacio Casso
  2022-06-13 14:47     ` Lars Ingebrigtsen
  0 siblings, 1 reply; 11+ messages in thread
From: Ignacio Casso @ 2022-06-13 13:02 UTC (permalink / raw)
  To: Lars Ingebrigtsen; +Cc: manikulin, 55926


Lars Ingebrigtsen <larsi@gnus.org> writes:

> Ignacio Casso <ignaciocasso@hotmail.com> writes:
>
>> 1) configure Emacs to open mail links (I don't
>> remember the exact steps to do so now, but I can check it out),
>
> Yes, that would be helpful to allow reproducing the problem.

Sorry, I assumed that there was one standard way to do it and that many
of you would already use Emacs for mail. But now that I see it I may not
be doing it the usual way. My default mail client is still Thunderbird,
but I have configured Firefox to use Emacs to open mailto links. To do
so, I have set the default application for mailto, in Settings -> General
-> Applications, to the following script:

  #!/bin/bash

  # Choose this script as default application for opening mailto links
  # (e.g., in firefox)

  emacsclient -c -e "(progn
      (select-frame-set-input-focus (selected-frame))
      (let ((mu4e-compose-context-policy 'pick-first)) (browse-url \"$@\")))"


I have checked the url that is passed to that script for the example in
my bug report, and it's the following:

"mailto:ignaciocasso@hotmail.com?In-Reply-To=DB6PR0601MB208724FE4A1EB6D98A176F03C6A99%40DB6PR0601MB2087.eurprd06.prod.outlook.com&Subject=Re%3A%20%5BBUG%5D%20org-capture%20autoload%20bug%3F%20%5B9.5.2%20%289.5.2-gfbff08%20%40%20/home/ignacio/.emacs.d/elpa/org-9.5.2/%29%5D"

I have also checked the docstring of `browse-url', and it uses the
function specified by the variable `browse-url-mailto-function' to open
mailto links, whose default value, at leas in my Emacs, is
`browse-url-mail'.

So the bug, if it's indeed a bug, would be that `browse-url-mail' does
not normalize the In-Reply-To field by adding angle brackets around.

Regards,

Ignacio





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 12:41 ` Robert Pluim
@ 2022-06-13 13:17   ` Ignacio Casso
  2022-06-13 16:14   ` Max Nikulin
  1 sibling, 0 replies; 11+ messages in thread
From: Ignacio Casso @ 2022-06-13 13:17 UTC (permalink / raw)
  To: Robert Pluim; +Cc: manikulin, 55926, larsi

> One way to check is to put a call to `message' in `message-mailto'
> just after the call to `interactive' to log exactly what's being sent
> to emacs.
>
> Something like
>
> (message "message-mailto received '%s'" url)
>
> and then take a look in "*Messages*"

I've advised `message-mailto' with a message as the one you suggested,
but it seems that function is not being called. What is being called is
`browse-url' -> `browse-url-mail' -> `compose-mail' -> `message-mail',
already defined in message.el. By that time some fields, like "from" and "to",
have already been extracted from the URL, but the In-Reply-To field is
still in the OTHER-HEADERS argument, pending to be parsed.

> I took a look at `message-mailto', and it pretty much just inserts
> what's been passwed to it, so I suspect itʼs an issue with the website
> reply button.

So yes, it probably just inserts what's been passed to it, and if it's
the reply button the one that should ensure that the In-Reply-To field
is normalized, then the bug is in that side. Still, maybe message.el
could ensure that it's normalized anyway just in case?

Regards,

Ignacio





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 13:02   ` Ignacio Casso
@ 2022-06-13 14:47     ` Lars Ingebrigtsen
  0 siblings, 0 replies; 11+ messages in thread
From: Lars Ingebrigtsen @ 2022-06-13 14:47 UTC (permalink / raw)
  To: Ignacio Casso; +Cc: manikulin, 55926

Ignacio Casso <ignaciocasso@hotmail.com> writes:

>       (let ((mu4e-compose-context-policy 'pick-first)) (browse-url \"$@\")))"
>
> I have checked the url that is passed to that script for the example in
> my bug report, and it's the following:
>
> "mailto:ignaciocasso@hotmail.com?In-Reply-To=DB6PR0601MB208724FE4A1EB6D98A176F03C6A99%40DB6PR0601MB2087.eurprd06.prod.outlook.com&Subject=Re%3A%20%5BBUG%5D%20org-capture%20autoload%20bug%3F%20%5B9.5.2%20%289.5.2-gfbff08%20%40%20/home/ignacio/.emacs.d/elpa/org-9.5.2/%29%5D"

Thanks.  I think the right thing to do here is make message-mail fix up
this, so I've now done so in Emacs 29.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 12:41 ` Robert Pluim
  2022-06-13 13:17   ` Ignacio Casso
@ 2022-06-13 16:14   ` Max Nikulin
  2022-06-13 16:33     ` Eli Zaretskii
  1 sibling, 1 reply; 11+ messages in thread
From: Max Nikulin @ 2022-06-13 16:14 UTC (permalink / raw)
  To: Robert Pluim, Ignacio Casso; +Cc: larsi, 55926

On 13/06/2022 19:41, Robert Pluim wrote:
> 
> I took a look at `message-mailto', and it pretty much just inserts
> what's been passwed to it, so I suspect itʼs an issue with the website
> reply button.

Certainly lists.gnu.org should be fixed, but its maintainers are likely 
busy with other activities.

On the other hand mail user agents should be more tolerant to input 
data, so it is better to ensure proper format despite not fully correct 
input. Even an example in (already obsoleted) rfc2368 for mailto: URIs 
has no closing %3e: https://datatracker.ietf.org/doc/html/rfc2368#section-6

I do not use Emacs as a mail client, so I have never tried to setup it 
as a mailto: scheme handler, but I expect that 
etc/emacsclient-mail.desktop was created for such purpose. I do not 
think that Exec values are really safe, but it is another issue.





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 16:14   ` Max Nikulin
@ 2022-06-13 16:33     ` Eli Zaretskii
  2022-06-14 16:11       ` Max Nikulin
  0 siblings, 1 reply; 11+ messages in thread
From: Eli Zaretskii @ 2022-06-13 16:33 UTC (permalink / raw)
  To: Max Nikulin; +Cc: larsi, rpluim, 55926, ignaciocasso

> Cc: larsi@gnus.org, 55926@debbugs.gnu.org
> Date: Mon, 13 Jun 2022 23:14:39 +0700
> From: Max Nikulin <manikulin@gmail.com>
> 
> On 13/06/2022 19:41, Robert Pluim wrote:
> > 
> > I took a look at `message-mailto', and it pretty much just inserts
> > what's been passwed to it, so I suspect itʼs an issue with the website
> > reply button.
> 
> Certainly lists.gnu.org should be fixed, but its maintainers are likely 
> busy with other activities.

I suggest to write to mailman@gnu.org, that's where you can find the
maintainers of lists.gnu.org.





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-13 16:33     ` Eli Zaretskii
@ 2022-06-14 16:11       ` Max Nikulin
  2022-06-14 16:27         ` Robert Pluim
  0 siblings, 1 reply; 11+ messages in thread
From: Max Nikulin @ 2022-06-14 16:11 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: larsi, rpluim, 55926, ignaciocasso

On 13/06/2022 23:33, Eli Zaretskii wrote:
>> Date: Mon, 13 Jun 2022 23:14:39 +0700
>> From: Max Nikulin
>>
>> Certainly lists.gnu.org should be fixed, but its maintainers are likely
>> busy with other activities.
> 
> I suggest to write to mailman@gnu.org, that's where you can find the
> maintainers of lists.gnu.org.

They are aware of the problem.

I am not sure to which degree it is expensive to regenerate pages for 
all messages from all mail lists hosted on lists.gnu.org.

I do not mind web sites should be strict concerning links they generate.

On the other hand it is Emacs that sends mails with invalid header. That 
is why I asked to add a workaround for a mistake that can be easily made 
by soft on external sites.

Unsure if it is possible to do something really weird through a 
specially crafted mailto: link (by adding some special headers), but it 
looks like it is possible to add something that sender may not like to 
see in its message. So it is better to sanitize input link parameters 
that are used to generate headers.

P.S. From my opinion lists.debian.org and bugs.debian.org are more 
friendly to mail users than lists.gnu.org and debbugs.gnu.org.





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-14 16:11       ` Max Nikulin
@ 2022-06-14 16:27         ` Robert Pluim
  2022-06-15 16:14           ` Max Nikulin
  0 siblings, 1 reply; 11+ messages in thread
From: Robert Pluim @ 2022-06-14 16:27 UTC (permalink / raw)
  To: Max Nikulin; +Cc: larsi, Eli Zaretskii, 55926, ignaciocasso

>>>>> On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin <manikulin@gmail.com> said:

    Max> Unsure if it is possible to do something really weird through a
    Max> specially crafted mailto: link (by adding some special headers), but
    Max> it looks like it is possible to add something that sender may not like
    Max> to see in its message. So it is better to sanitize input link
    Max> parameters that are used to generate headers.

Iʼm not aware of any code in Emacs that calls `eval' or similar on
parameters passed to `browse-url' or `message-mailto', but you never
know. Donʼt use Emacs to connect to your bank's website :-)

I think Lars' changes here are enough.

Robert
-- 





^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
  2022-06-14 16:27         ` Robert Pluim
@ 2022-06-15 16:14           ` Max Nikulin
  0 siblings, 0 replies; 11+ messages in thread
From: Max Nikulin @ 2022-06-15 16:14 UTC (permalink / raw)
  To: Robert Pluim; +Cc: larsi, Eli Zaretskii, 55926, ignaciocasso

On 14/06/2022 23:27, Robert Pluim wrote:
>>>>>> On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin said:
> 
>      Max> Unsure if it is possible to do something really weird through a
>      Max> specially crafted mailto: link (by adding some special headers), but
>      Max> it looks like it is possible to add something that sender may not like
>      Max> to see in its message. So it is better to sanitize input link
>      Max> parameters that are used to generate headers.
> 
> Iʼm not aware of any code in Emacs that calls `eval' or similar on
> parameters passed to `browse-url' or `message-mailto', but you never
> know. Donʼt use Emacs to connect to your bank's website :-)

Actually I did not thought about eval as elisp. I do not like shell 
command in emacsclient-mail.desktop, but this time I wrote about adding 
something suspicious to email messages. However there no way to protect 
against honeypots as Cc aimed to put sender into spammer blocking lists.

> I think Lars' changes here are enough.

I thank Lars for the fix.

There is e.g. References header for the same purpose of proper 
threading, but it may contain list of Message-IDs and there is no 
example of improper format at some site.

I expected something more general e.g. similar to file local variables 
that may be safe or not and sanitizer map for particular headers. It may 
be postponed till next bug report.





^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2022-06-15 16:14 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-12 11:44 bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links Ignacio Casso
2022-06-13 12:34 ` Lars Ingebrigtsen
2022-06-13 13:02   ` Ignacio Casso
2022-06-13 14:47     ` Lars Ingebrigtsen
2022-06-13 12:41 ` Robert Pluim
2022-06-13 13:17   ` Ignacio Casso
2022-06-13 16:14   ` Max Nikulin
2022-06-13 16:33     ` Eli Zaretskii
2022-06-14 16:11       ` Max Nikulin
2022-06-14 16:27         ` Robert Pluim
2022-06-15 16:14           ` Max Nikulin

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).