* bug#47616: 27.1; hardening mail-envelope-from
@ 2021-04-06 12:42 Francesco Potortì
2021-04-07 15:05 ` Francesco Potortì
2021-05-06 10:22 ` Lars Ingebrigtsen
0 siblings, 2 replies; 7+ messages in thread
From: Francesco Potortì @ 2021-04-06 12:42 UTC (permalink / raw)
To: 47616
in mail-utils.el the function mail-fetch-field thus notes in the doc
string:
The buffer should be narrowed to just the header, else false
matches may be returned from the message body.
In fact, both sendmail-send-it and smtp-send-it use mail-envelope-from,
which calls mail-fetch-field without narrowing, which in fact causes a
false match if:
- you forward a message with "From: " at begining of line
- message-forward-as-mime is nil
- mail-specify-envelope-from is t
- mail-envelope-from is 'header
In this case, both sendmail-send-it and smptmail-send-it try to see if
they should set the From: field and the sender, and both get a false
match from mail-envelope-from.
Apparently, the problem with sendmail-send-it is corrected later in the
code (I don't know where) so the mail is sent correctly, which is why I
had never realised this until I started using smtpmail-send-it, which
sets a wrong From: header copied from the forwarded message.
Hardening mail-envelope-from from sendmail.el by narrowing to the
headers, as the doc says, corrects the problem that I observed.
(defun mail-envelope-from ()
"Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
(or (if (eq mail-envelope-from 'header)
(nth 1 (mail-extract-address-components
(save-restriction
(save-excursion
(goto-char (point-max))
(re-search-backward
(concat "^" (regexp-quote mail-header-separator) "\n")
nil t)
(narrow-to-region (point-min) (point))
(mail-fetch-field "From")))))
mail-envelope-from)
user-mail-address))
This introduces a small semantic change for the meaning of the
mail-envelope-from variable. Currently, the docs says:
If non-nil, designate the envelope-from address when sending mail.
This only has an effect if `mail-specify-envelope-from’ is non-nil.
The value should be either a string, or the symbol `header’ (in
which case the contents of the "From" header of the message
being sent is used), or nil (in which case the value of
‘user-mail-address’ is used).
The last two lines should be instead:
...
being sent is used, if one exists). If the value is nil, or if it is
`header' and no "From" header is found in the message, the value of
‘user-mail-address’ is used.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47616: 27.1; hardening mail-envelope-from
2021-04-06 12:42 bug#47616: 27.1; hardening mail-envelope-from Francesco Potortì
@ 2021-04-07 15:05 ` Francesco Potortì
2021-05-06 10:22 ` Lars Ingebrigtsen
1 sibling, 0 replies; 7+ messages in thread
From: Francesco Potortì @ 2021-04-07 15:05 UTC (permalink / raw)
To: 47616
>(defun mail-envelope-from ()
> "Return the envelope mail address to use when sending mail.
>This function uses `mail-envelope-from'."
> (or (if (eq mail-envelope-from 'header)
> (nth 1 (mail-extract-address-components
> (save-restriction
> (save-excursion
> (goto-char (point-max))
> (re-search-backward
> (concat "^" (regexp-quote mail-header-separator) "\n")
> nil t)
> (narrow-to-region (point-min) (point))
> (mail-fetch-field "From")))))
> mail-envelope-from)
> user-mail-address))
This one is better (I had forgotten about mail-header-end)
(require 'sendmail)
(defun mail-envelope-from ()
"Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
(or (if (eq mail-envelope-from 'header)
(let ((from-field (save-restriction
(narrow-to-region (point-min) (mail-header-end))
(mail-fetch-field "From"))))
(when from-field
(nth 1 (mail-extract-address-components from-field))))
mail-envelope-from)
user-mail-address))
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47616: 27.1; hardening mail-envelope-from
2021-04-06 12:42 bug#47616: 27.1; hardening mail-envelope-from Francesco Potortì
2021-04-07 15:05 ` Francesco Potortì
@ 2021-05-06 10:22 ` Lars Ingebrigtsen
2021-05-06 12:16 ` Francesco Potortì
1 sibling, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2021-05-06 10:22 UTC (permalink / raw)
To: Francesco Potortì; +Cc: 47616
Francesco Potortì <pot@gnu.org> writes:
> Hardening mail-envelope-from from sendmail.el by narrowing to the
> headers, as the doc says, corrects the problem that I observed.
Thanks -- I don't think we should change mail-envelope-from itself here,
because it may conceivably be called from other contexts. Instead the
callers in sendmail/smtpmail should be altered to narrow to the headers
before calling it, and I've now done this in Emacs 28. (This uncovered
a similar bug in smtpmail.el, too.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47616: 27.1; hardening mail-envelope-from
2021-05-06 10:22 ` Lars Ingebrigtsen
@ 2021-05-06 12:16 ` Francesco Potortì
2021-05-07 11:17 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Francesco Potortì @ 2021-05-06 12:16 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 47616
>Francesco Potortì <pot@gnu.org> writes:
>> Hardening mail-envelope-from from sendmail.el by narrowing to the
>> headers, as the doc says, corrects the problem that I observed.
>
>Thanks -- I don't think we should change mail-envelope-from itself here,
>because it may conceivably be called from other contexts. Instead the
>callers in sendmail/smtpmail should be altered to narrow to the headers
>before calling it, and I've now done this in Emacs 28. (This uncovered
>a similar bug in smtpmail.el, too.)
That makes sense, in principle. I would argue for adding a comment to
mail-envelope-from stating that since it calls mail-fetch-field it
should be called only after narrowing to the headers. Or maybe even
adding a note in the doc string, as done in mail-fetch-field.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47616: 27.1; hardening mail-envelope-from
2021-05-06 12:16 ` Francesco Potortì
@ 2021-05-07 11:17 ` Lars Ingebrigtsen
2021-05-07 11:33 ` Eli Zaretskii
0 siblings, 1 reply; 7+ messages in thread
From: Lars Ingebrigtsen @ 2021-05-07 11:17 UTC (permalink / raw)
To: Francesco Potortì; +Cc: 47616
Francesco Potortì <pot@gnu.org> writes:
> That makes sense, in principle. I would argue for adding a comment to
> mail-envelope-from stating that since it calls mail-fetch-field it
> should be called only after narrowing to the headers. Or maybe even
> adding a note in the doc string, as done in mail-fetch-field.
Good idea. I've now mentioned this in the doc string in Emacs 28.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#47616: 27.1; hardening mail-envelope-from
2021-05-07 11:17 ` Lars Ingebrigtsen
@ 2021-05-07 11:33 ` Eli Zaretskii
2021-05-07 12:09 ` Lars Ingebrigtsen
0 siblings, 1 reply; 7+ messages in thread
From: Eli Zaretskii @ 2021-05-07 11:33 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 47616
> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Fri, 07 May 2021 13:17:27 +0200
> Cc: 47616@debbugs.gnu.org
>
> Francesco Potortì <pot@gnu.org> writes:
>
> > That makes sense, in principle. I would argue for adding a comment to
> > mail-envelope-from stating that since it calls mail-fetch-field it
> > should be called only after narrowing to the headers. Or maybe even
> > adding a note in the doc string, as done in mail-fetch-field.
>
> Good idea. I've now mentioned this in the doc string in Emacs 28.
Did you forget to push?
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-05-07 12:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-06 12:42 bug#47616: 27.1; hardening mail-envelope-from Francesco Potortì
2021-04-07 15:05 ` Francesco Potortì
2021-05-06 10:22 ` Lars Ingebrigtsen
2021-05-06 12:16 ` Francesco Potortì
2021-05-07 11:17 ` Lars Ingebrigtsen
2021-05-07 11:33 ` Eli Zaretskii
2021-05-07 12:09 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.