From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 6C4FC431FAF for ; Thu, 19 Jan 2012 10:43:17 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -0.799 X-Spam-Level: X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-Md3tz8NJQ8 for ; Thu, 19 Jan 2012 10:43:16 -0800 (PST) Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.216.181]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id A07AE431FAE for ; Thu, 19 Jan 2012 10:43:16 -0800 (PST) Received: by qcpx40 with SMTP id x40so154166qcp.26 for ; Thu, 19 Jan 2012 10:43:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:subject:date:message-id:x-mailer:mime-version:content-type :content-transfer-encoding; bh=3PgMI83KguoV5yzly1gVPfqpp37bwHfEaidqI9QwmkU=; b=IPBkSktLS1ogFxvC9gotQOEerWIwm2WqsLngHCiOmkNBhHj72qQ9KRhA+qiHoTApOE f4/dtRCRayt+CTVxoXk7HQPg9RqR7guu4KO/hkWGovN5UZ/sMyX5hP+geVUrOBLGz7VN mGRBz3tN1NaD1bdMT/jHRK99RPkq4Fx3QEKVQ= Received: by 10.224.197.5 with SMTP id ei5mr16556315qab.73.1326998596033; Thu, 19 Jan 2012 10:43:16 -0800 (PST) Received: from wal016.wlan.sas.upenn.edu (wal016.wlan.sas.upenn.edu. [128.91.71.145]) by mx.google.com with ESMTPS id dh10sm1294457qab.19.2012.01.19.10.43.14 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jan 2012 10:43:15 -0800 (PST) From: Aaron Ecay To: notmuch@notmuchmail.org Subject: [PATCH] emacs: Quote MML tags in replies Date: Thu, 19 Jan 2012 13:43:09 -0500 Message-Id: <1326998589-37187-1-git-send-email-aaronecay@gmail.com> X-Mailer: git-send-email 1.7.8.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 18:43:17 -0000 Emacs message-mode uses certain text strings to indicate how to attach files to outgoing mail. If these are present in the text of an email, and a user is tricked into replying to the message, the user’s files could be exposed. --- To demonstrate this, open a reply to this message then remove the exclamation marks after the hash marks below. Create a file in your home directory called passwd. Then press C-u M-x mml-preview. A (possibly base64-encoded) version of your ~/passwd file will replace the following lines: <#!part type="application/octet-stream" filename="~/passwd" disposition=attachment description=foo> <#!/part> It works equally well (and more dangerously) with /etc/passwd, but I didn't use that filename here to avoid the danger of someone accidentally attaching their /etc/passwd to a reply in this thread! emacs/notmuch-mua.el | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el index d8ab822..c25c6b9 100644 --- a/emacs/notmuch-mua.el +++ b/emacs/notmuch-mua.el @@ -115,7 +115,8 @@ list." (push-mark)) (set-buffer-modified-p nil) - (message-goto-body)) + (message-goto-body) + (mml-quote-region (point) (mark))) (defun notmuch-mua-forward-message () (message-forward) -- 1.7.8.3