From: David Bremner <david@tethera.net>
To: notmuch@notmuchmail.org
Subject: [PATCH v4 2/2] emacs: quote MML tags in replies
Date: Thu, 2 Feb 2012 00:01:33 -0400 [thread overview]
Message-ID: <1328155293-2334-3-git-send-email-david@tethera.net> (raw)
In-Reply-To: <1328155293-2334-1-git-send-email-david@tethera.net>
From: Aaron Ecay <aaronecay@gmail.com>
Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail. If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.
Using point-max would include the signature in the quoting as well.
It would probably be fairly odd to want to put an MML tag in one’s
signature, but that doesn’t mean that we should break that usage.
---
NEWS | 11 +++++++++++
emacs/notmuch-mua.el | 7 ++++++-
test/emacs | 1 -
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 3d2c2a8..a089e67 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,17 @@ Fix error handling in python bindings.
exceptions to indicate the error condition. Any subsequent calls
into libnotmuch caused segmentation faults.
+Quote MML tags in replies
+
+ MML tags are text codes that Emacs uses to indicate attachments
+ (among other things) in messages being composed. The Emacs
+ interface did not quote MML tags in the quoted text of a reply.
+ User could be tricked into replying to a maliciously formatted
+ message and not editing out the MML tags from the quoted text. This
+ could lead to files from the user's machine being attached to the
+ outgoing message. The Emacs interface now quotes these tags in
+ reply text, so that they do not effect outgoing messages.
+
Notmuch 0.11 (2012-01-13)
=========================
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 7114e48..768b693 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -111,7 +111,12 @@ list."
(insert body))
(set-buffer-modified-p nil)
- (message-goto-body))
+ (message-goto-body)
+ ;; Original message may contain (malicious) MML tags. We must
+ ;; properly quote them in the reply. Note that using `point-max'
+ ;; instead of `mark' here is wrong. The buffer may include user's
+ ;; signature which should not be MML-quoted.
+ (mml-quote-region (point) (mark)))
(defun notmuch-mua-forward-message ()
(message-forward)
diff --git a/test/emacs b/test/emacs
index 2a2ce28..de100c5 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
test_expect_equal_file OUTPUT EXPECTED
test_begin_subtest "Quote MML tags in reply"
-test_subtest_known_broken
message_id='test-emacs-mml-quoting@message.id'
add_message [id]="$message_id" \
"[subject]='$test_subtest_name'" \
--
1.7.8.3
next prev parent reply other threads:[~2012-02-02 4:01 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-19 18:43 [PATCH] emacs: Quote MML tags in replies Aaron Ecay
2012-01-19 22:23 ` Pieter Praet
2012-01-19 22:46 ` Austin Clements
2012-01-19 22:52 ` Aaron Ecay
2012-01-19 23:19 ` Pieter Praet
2012-01-19 22:48 ` Austin Clements
2012-01-19 22:56 ` Aaron Ecay
2012-01-19 23:21 ` Pieter Praet
2012-01-20 3:26 ` Aaron Ecay
2012-01-22 6:39 ` Pieter Praet
2012-01-26 19:16 ` Austin Clements
2012-01-29 6:07 ` [PATCH 1/2] emacs: Add tests for quoting of " Aaron Ecay
2012-01-29 6:07 ` [PATCH 2/2] emacs: Quote " Aaron Ecay
2012-01-30 8:23 ` Tomi Ollila
2012-01-30 21:15 ` [PATCH 1/2] emacs: Add tests for quoting of " David Bremner
2012-01-20 7:33 ` [PATCH] emacs: Quote " David Edmondson
2012-01-20 12:14 ` David Bremner
2012-02-01 2:49 ` emacs: quote " Dmitry Kurochkin
2012-02-01 2:49 ` [PATCH v3 1/2] test: add tests for quoting of " Dmitry Kurochkin
2012-02-01 13:54 ` [PATCH v4 " Pieter Praet
2012-02-01 20:36 ` [PATCH v5 " Pieter Praet
2012-02-01 2:49 ` [PATCH v3 2/2] emacs: quote " Dmitry Kurochkin
2012-02-01 13:51 ` Pieter Praet
2012-02-01 14:18 ` Dmitry Kurochkin
2012-02-01 20:35 ` Pieter Praet
2012-02-01 20:37 ` [PATCH] test: replace occurrences of $PWD with vars that are more stable Pieter Praet
2012-02-01 23:09 ` Dmitry Kurochkin
2012-02-03 10:20 ` Pieter Praet
2012-02-03 10:28 ` Dmitry Kurochkin
2012-02-25 13:54 ` David Bremner
2012-02-02 4:01 ` David Bremner
2012-02-02 4:01 ` [PATCH v4 1/2] test: add tests for quoting of MML tags in replies David Bremner
2012-02-02 4:01 ` David Bremner [this message]
2012-02-03 10:22 ` Pieter Praet
2012-02-03 10:24 ` [PATCH v6 1/3] test: add tests for quoting of MML tags in replies Pieter Praet
2012-02-03 10:24 ` [PATCH v6 2/3] emacs: quote " Pieter Praet
2012-02-03 10:24 ` [PATCH v6 3/3] post-merge fixes Pieter Praet
2012-02-04 19:05 ` David Bremner
2012-02-03 12:54 ` MML Quoting patches David Bremner
2012-02-03 14:28 ` Pieter Praet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328155293-2334-3-git-send-email-david@tethera.net \
--to=david@tethera.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).