From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 0CBB86DE13C8 for ; Sun, 26 May 2019 15:16:27 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.177 X-Spam-Level: X-Spam-Status: No, score=-0.177 tagged_above=-999 required=5 tests=[AWL=0.024, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8H0R12clKmjh for ; Sun, 26 May 2019 15:16:26 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 735AA6DE13F8 for ; Sun, 26 May 2019 15:16:21 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1558908978; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=Ih6jiju5Y2m3oz8ZphUhRfRoTbLj00MNswdAFTfF/ek=; b=PBjfvs33EclTIbF/vm2vdVwK8+INxiR5uYeZEJxvZ5Gv3OaSSbPeXNjP l8ARcaIdhpFGnSvk13iqHPrJFQCFBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1558908978; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=Ih6jiju5Y2m3oz8ZphUhRfRoTbLj00MNswdAFTfF/ek=; b=s2yoGCk78mXv3hRHVwoQbdx1ef5dZtmfpKF3dpfWcsQmXFfGrhx61H3s dY6UPBHr6v5pnN7SAGOPC2toJ3/fOyfanQZ/Jh89e39yn8CnHa4PXMvHpN 9LxSGknjV/JGyDetv+28cnMZS2flTN2TlRTx37t6beiwKYC4YiIn1hcKLO Cmg5v8AZKTAyUn+6T1icobQU4ijlN6xmqIaucMY1qbzbkl2V3inQTN+pZ6 eU2GLtVLxiWkOZhKqaqCDswl5knOmbe/ZnmZ5YUOh5laDHuetpRMoXk56Z cLjQSPoJr+7jJSvaB8CaTZRe6OB0ZGOrsAI7O/5S0zQUL2zjQ9cWSg== Received: from fifthhorseman.net (cpe-74-71-53-242.nyc.res.rr.com [74.71.53.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id B0AB0F9AA for ; Sun, 26 May 2019 18:16:18 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 6D1D421065; Sun, 26 May 2019 18:16:14 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: [PATCH v2 09/17] cli/reply: ensure encrypted Subject: line does not leak in the clear Date: Sun, 26 May 2019 18:16:02 -0400 Message-Id: <20190526221610.2833-10-dkg@fifthhorseman.net> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190526221610.2833-1-dkg@fifthhorseman.net> References: <20190526221610.2833-1-dkg@fifthhorseman.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 May 2019 22:16:27 -0000 Now that we can decrypt headers, we want to make sure that clients using "notmuch reply" to prepare a reply don't leak cleartext in their subject lines. In particular, the ["reply-headers"]["Subject"] should by default show the external Subject. A replying MUA that intends to protect the Subject line should show the user the Subject from ["original"]["headers"]["Subject"] instead of using ["reply-headers"]["Subject"]. This minor asymmetry with "notmuch show" is intentional. While both tools always render the cleartext subject line when they know it (in ["headers"]["Subject"] for "notmuch show" and in ["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch reply" should never leak something that should stay under encrypted cover in "reply-headers". Signed-off-by: Daniel Kahn Gillmor --- test/T356-protected-headers.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh index 62d7e210..ff37f6bd 100755 --- a/test/T356-protected-headers.sh +++ b/test/T356-protected-headers.sh @@ -76,4 +76,11 @@ output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.n test_json_nodes <<<"$output" \ 'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}], "headers": ["Subject"]}}' +test_begin_subtest "protected subject does not leak by default in replies" +output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org) +test_json_nodes <<<"$output" \ + 'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \ + 'subject:["original"]["headers"]["Subject"]="This is a protected header"' \ + 'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"' + test_done -- 2.20.1