[PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[Tim Bielawa]

The addition of mml-quote-region (notmuch-mua.el) in 2c6710e3 breaks
automatic signing in replies. When replies are mml-quoted and signing
is enabled by default the "<#part sign=pgpmime>" string will appear on
line 1. This will be consumed during the application of the
mml-quote-region function and transform into the inert string
"<#!part sign=pgpmime>". The result is that responses will no longer
be signed by default.

This fix moves the point forward one line before applying the quoting
function.

Consideration: Clients not signing mail by default. The first line of
their responses would be skipped when the quoting function is
applied. This string takes this general form:

    On Sat, 03 Mar 2012 12:55:14 -0800, notmuch-request@notmuchmail.org wrote:

Because the string is generated by notmuch I don't believe this fix
introduces the possibility for malicious mml commands being omitted
from the quoting.
---
 emacs/notmuch-mua.el |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 4be7c13..d8ab2c0 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -114,14 +114,25 @@ list."
       (goto-char (point-max)))
     (insert body)
     (push-mark))
-  (set-buffer-modified-p nil)
 
   (message-goto-body)
   ;; Original message may contain (malicious) MML tags.  We must
   ;; properly quote them in the reply.  Note that using `point-max'
   ;; instead of `mark' here is wrong.  The buffer may include user's
   ;; signature which should not be MML-quoted.
-  (mml-quote-region (point) (mark)))
+  ;;
+  ;; Note also that we skip the first line of the response as it is
+  ;; either: the "<#part sign=pgpmime>" string when clients use
+  ;; automatic signing, or it is the generated string from notmuch
+  ;; indicating the date and author of the message which is being
+  ;; responded to, "on date x, y z -0000, foo@bar.com wrote:"
+  (forward-line 1)
+  (mml-quote-region (point) (mark))
+
+  ;; Quoting the message may modify the contents of the buffer,
+  ;; however, we shouldn't consider mml-quoting a modification because
+  ;; it's preformed by the mua, not the user.
+  (set-buffer-modified-p nil))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
-- 
1.7.4.4

Re: [PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[Tim Bielawa]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

On Sat,  3 Mar 2012 17:04:22 -0500, Tim Bielawa <tbielawa@redhat.com> wrote:
> The addition of mml-quote-region (notmuch-mua.el) in 2c6710e3 breaks
> automatic signing in replies. When replies are mml-quoted and signing
> is enabled by default the "<#part sign=pgpmime>" string will appear on
> line 1. This will be consumed during the application of the
> mml-quote-region function and transform into the inert string
> "<#!part sign=pgpmime>". The result is that responses will no longer
> be signed by default.
> 
> This fix moves the point forward one line before applying the quoting
> function.
> 
> Consideration: Clients not signing mail by default. The first line of
> their responses would be skipped when the quoting function is
> applied. This string takes this general form:
> 
>     On Sat, 03 Mar 2012 12:55:14 -0800, notmuch-request@notmuchmail.org wrote:
> 
> Because the string is generated by notmuch I don't believe this fix
> introduces the possibility for malicious mml commands being omitted
> from the quoting.

I suppose I should add that when running the unit tests the relevant
parts still pass:

> PASS   Reply within emacs
> PASS   Quote MML tags in reply
 
-- 
Tim Bielawa, Software Engineer/Scribe
Production Control Team (RDU)
919.332.6411 Cell | IRC: tbielawa
1BA0 4FAB 4C13 FBA0 A036  4958 AD05 E75E 0333 AE37

[-- Attachment #2: Type: application/pgp-signature, Size: 162 bytes --]

Re: [PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[Jani Nikula]

On Sat,  3 Mar 2012 17:04:22 -0500, Tim Bielawa <tbielawa@redhat.com> wrote:
> The addition of mml-quote-region (notmuch-mua.el) in 2c6710e3 breaks
> automatic signing in replies. When replies are mml-quoted and signing
> is enabled by default the "<#part sign=pgpmime>" string will appear on
> line 1. This will be consumed during the application of the
> mml-quote-region function and transform into the inert string
> "<#!part sign=pgpmime>". The result is that responses will no longer
> be signed by default.
> 
> This fix moves the point forward one line before applying the quoting
> function.
> 
> Consideration: Clients not signing mail by default. The first line of
> their responses would be skipped when the quoting function is
> applied. This string takes this general form:
> 
>     On Sat, 03 Mar 2012 12:55:14 -0800, notmuch-request@notmuchmail.org wrote:
> 
> Because the string is generated by notmuch I don't believe this fix
> introduces the possibility for malicious mml commands being omitted
> from the quoting.

Hmm, would it work to mml quote the reply *before* extracting it from
the temp buffer, like below? It would handle not mml quoting the user's
signature too. Completely untested...

BR,
Jani.


diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 4be7c13..13244eb 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -95,6 +95,9 @@ list."
 	      (goto-char (point-min))
 	      (setq headers (mail-header-extract)))))
       (forward-line 1)
+      ;; Original message may contain (malicious) MML tags. We must
+      ;; properly quote them in the reply.
+      (mml-quote-region (point) (point-max))
       (setq body (buffer-substring (point) (point-max))))
     ;; If sender is non-nil, set the From: header to its value.
     (when sender
@@ -116,12 +119,7 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body)
-  ;; Original message may contain (malicious) MML tags.  We must
-  ;; properly quote them in the reply.  Note that using `point-max'
-  ;; instead of `mark' here is wrong.  The buffer may include user's
-  ;; signature which should not be MML-quoted.
-  (mml-quote-region (point) (mark)))
+  (message-goto-body))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)

Re: [PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[Tim Bielawa]

[-- Attachment #1: Type: text/plain, Size: 2679 bytes --]

Great point, I considered that too after I authored the original patch. It's a better approach I think. I'll try and give it a test run later tonight.


-----Original Message-----
From: Jani Nikula [jani@nikula.org]
Received: Saturday, 03 Mar 2012, 6:36pm
To: Tim Bielawa [tbielawa@redhat.com]; notmuch@notmuchmail.org
Subject: Re: [PATCH] Fix mml-quoting in responses where pgp-signing is enabled


On Sat,  3 Mar 2012 17:04:22 -0500, Tim Bielawa <tbielawa@redhat.com> wrote:
> The addition of mml-quote-region (notmuch-mua.el) in 2c6710e3 breaks
> automatic signing in replies. When replies are mml-quoted and signing
> is enabled by default the "<#part sign=pgpmime>" string will appear on
> line 1. This will be consumed during the application of the
> mml-quote-region function and transform into the inert string
> "<#!part sign=pgpmime>". The result is that responses will no longer
> be signed by default.
> 
> This fix moves the point forward one line before applying the quoting
> function.
> 
> Consideration: Clients not signing mail by default. The first line of
> their responses would be skipped when the quoting function is
> applied. This string takes this general form:
> 
>     On Sat, 03 Mar 2012 12:55:14 -0800, notmuch-request@notmuchmail.org wrote:
> 
> Because the string is generated by notmuch I don't believe this fix
> introduces the possibility for malicious mml commands being omitted
> from the quoting.

Hmm, would it work to mml quote the reply *before* extracting it from
the temp buffer, like below? It would handle not mml quoting the user's
signature too. Completely untested...

BR,
Jani.


diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 4be7c13..13244eb 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -95,6 +95,9 @@ list."
 	      (goto-char (point-min))
 	      (setq headers (mail-header-extract)))))
       (forward-line 1)
+      ;; Original message may contain (malicious) MML tags. We must
+      ;; properly quote them in the reply.
+      (mml-quote-region (point) (point-max))
       (setq body (buffer-substring (point) (point-max))))
     ;; If sender is non-nil, set the From: header to its value.
     (when sender
@@ -116,12 +119,7 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body)
-  ;; Original message may contain (malicious) MML tags.  We must
-  ;; properly quote them in the reply.  Note that using `point-max'
-  ;; instead of `mark' here is wrong.  The buffer may include user's
-  ;; signature which should not be MML-quoted.
-  (mml-quote-region (point) (mark)))
+  (message-goto-body))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)

Re: [PATCH] Fix mml-quoting in responses where pgp-signing is enabled

[Tim Bielawa]

[-- Attachment #1: Type: text/plain, Size: 2802 bytes --]

On Sun, 04 Mar 2012 01:36:29 +0200, Jani Nikula <jani@nikula.org> wrote:
> On Sat,  3 Mar 2012 17:04:22 -0500, Tim Bielawa <tbielawa@redhat.com> wrote:
> > The addition of mml-quote-region (notmuch-mua.el) in 2c6710e3 breaks
> > automatic signing in replies. When replies are mml-quoted and signing
> > is enabled by default the "<#part sign=pgpmime>" string will appear on
> > line 1. This will be consumed during the application of the
> > mml-quote-region function and transform into the inert string
> > "<#!part sign=pgpmime>". The result is that responses will no longer
> > be signed by default.
> > 
> > This fix moves the point forward one line before applying the quoting
> > function.
> > 
> > Consideration: Clients not signing mail by default. The first line of
> > their responses would be skipped when the quoting function is
> > applied. This string takes this general form:
> > 
> >     On Sat, 03 Mar 2012 12:55:14 -0800, notmuch-request@notmuchmail.org wrote:
> > 
> > Because the string is generated by notmuch I don't believe this fix
> > introduces the possibility for malicious mml commands being omitted
> > from the quoting.
> 
> Hmm, would it work to mml quote the reply *before* extracting it from
> the temp buffer, like below? It would handle not mml quoting the user's
> signature too. Completely untested...
> 
> BR,
> Jani.
> 
> 
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index 4be7c13..13244eb 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -95,6 +95,9 @@ list."
>  	      (goto-char (point-min))
>  	      (setq headers (mail-header-extract)))))
>        (forward-line 1)
> +      ;; Original message may contain (malicious) MML tags. We must
> +      ;; properly quote them in the reply.
> +      (mml-quote-region (point) (point-max))
>        (setq body (buffer-substring (point) (point-max))))
>      ;; If sender is non-nil, set the From: header to its value.
>      (when sender
> @@ -116,12 +119,7 @@ list."
>      (push-mark))
>    (set-buffer-modified-p nil)
>  
> -  (message-goto-body)
> -  ;; Original message may contain (malicious) MML tags.  We must
> -  ;; properly quote them in the reply.  Note that using `point-max'
> -  ;; instead of `mark' here is wrong.  The buffer may include user's
> -  ;; signature which should not be MML-quoted.
> -  (mml-quote-region (point) (mark)))
> +  (message-goto-body))
>  
>  (defun notmuch-mua-forward-message ()
>    (message-forward)

Works great. Passes unit tests. Definitely a better approach than the
original patch.

> Notmuch test suite complete.
> All 381 tests behaved as expected (2 expected failures).

+1 from me (this message replied to and signed using the new patch)

-- 
Tim Bielawa

[-- Attachment #2: Type: application/pgp-signature, Size: 162 bytes --]

[PATCH] emacs: fix MML quoting in replies

[Jani Nikula]

The reply MML quoting added in commit ae438cc unintentionally MML
quotes also the signature/encryption MML tags added via
message-setup-hook, causing the reply not to be signed/encrypted.

MML quote just the original message in the temp buffer before
inserting it to the message buffer, to not interfere with message mode
hooks or message construction in general.

See [1] and [2] for bug reports.

Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.

[1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
[2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".

Signed-off-by: Jani Nikula <jani@nikula.org>
---
 emacs/notmuch-mua.el |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 4be7c13..13244eb 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -95,6 +95,9 @@ list."
 	      (goto-char (point-min))
 	      (setq headers (mail-header-extract)))))
       (forward-line 1)
+      ;; Original message may contain (malicious) MML tags. We must
+      ;; properly quote them in the reply.
+      (mml-quote-region (point) (point-max))
       (setq body (buffer-substring (point) (point-max))))
     ;; If sender is non-nil, set the From: header to its value.
     (when sender
@@ -116,12 +119,7 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body)
-  ;; Original message may contain (malicious) MML tags.  We must
-  ;; properly quote them in the reply.  Note that using `point-max'
-  ;; instead of `mark' here is wrong.  The buffer may include user's
-  ;; signature which should not be MML-quoted.
-  (mml-quote-region (point) (mark)))
+  (message-goto-body))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
-- 
1.7.5.4

Re: [PATCH] emacs: fix MML quoting in replies

[Mark Walters]

On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> The reply MML quoting added in commit ae438cc unintentionally MML
> quotes also the signature/encryption MML tags added via
> message-setup-hook, causing the reply not to be signed/encrypted.
> 
> MML quote just the original message in the temp buffer before
> inserting it to the message buffer, to not interfere with message mode
> hooks or message construction in general.
> 
> See [1] and [2] for bug reports.
> 
> Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
> 
> [1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
> [2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".


LGTM (but I am not really a lisper). I don't sign messages so haven't
tested it but it seems "correct" to only mml-quote the actual body
(i.e. the bit that comes from someone else).

Best wishes

Mark

Re: [PATCH] emacs: fix MML quoting in replies

[Tomi Ollila]

On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> The reply MML quoting added in commit ae438cc unintentionally MML
> quotes also the signature/encryption MML tags added via
> message-setup-hook, causing the reply not to be signed/encrypted.
> 
> MML quote just the original message in the temp buffer before
> inserting it to the message buffer, to not interfere with message mode
> hooks or message construction in general.
> 
> See [1] and [2] for bug reports.
> 
> Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
> 
> [1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
> [2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".
> 
> Signed-off-by: Jani Nikula <jani@nikula.org>

Looks good to me.

Tomi

Re: [PATCH] emacs: fix MML quoting in replies

[David Bremner]

On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> The reply MML quoting added in commit ae438cc unintentionally MML
> quotes also the signature/encryption MML tags added via
> message-setup-hook, causing the reply not to be signed/encrypted.

pushed, 

d

Re: [PATCH] emacs: fix MML quoting in replies

[Austin Clements]

On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> The reply MML quoting added in commit ae438cc unintentionally MML
> quotes also the signature/encryption MML tags added via
> message-setup-hook, causing the reply not to be signed/encrypted.
> 
> MML quote just the original message in the temp buffer before
> inserting it to the message buffer, to not interfere with message mode
> hooks or message construction in general.
> 
> See [1] and [2] for bug reports.
> 
> Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
> 
> [1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
> [2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".
> 
> Signed-off-by: Jani Nikula <jani@nikula.org>
> ---
>  emacs/notmuch-mua.el |   10 ++++------
>  1 files changed, 4 insertions(+), 6 deletions(-)
> 
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index 4be7c13..13244eb 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -95,6 +95,9 @@ list."
>  	      (goto-char (point-min))
>  	      (setq headers (mail-header-extract)))))
>        (forward-line 1)
> +      ;; Original message may contain (malicious) MML tags. We must
> +      ;; properly quote them in the reply.
> +      (mml-quote-region (point) (point-max))

Under what circumstances can the (re-search-forward "^$" nil t) above
this code fail?  If it does fail, is it possible for the (forward-line 1)
to move past an adversary-controlled line of text and fail to quote that
line?

Re: [PATCH] emacs: fix MML quoting in replies

[Jani Nikula]

[-- Attachment #1: Type: text/plain, Size: 1848 bytes --]

On Mar 15, 2012 12:08 AM, "Austin Clements" <amdragon@mit.edu> wrote:
>
> On Sun,  4 Mar 2012 10:25:38 +0200, Jani Nikula <jani@nikula.org> wrote:
> > The reply MML quoting added in commit ae438cc unintentionally MML
> > quotes also the signature/encryption MML tags added via
> > message-setup-hook, causing the reply not to be signed/encrypted.
> >
> > MML quote just the original message in the temp buffer before
> > inserting it to the message buffer, to not interfere with message mode
> > hooks or message construction in general.
> >
> > See [1] and [2] for bug reports.
> >
> > Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
> >
> > [1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
> > [2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".
> >
> > Signed-off-by: Jani Nikula <jani@nikula.org>
> > ---
> >  emacs/notmuch-mua.el |   10 ++++------
> >  1 files changed, 4 insertions(+), 6 deletions(-)
> >
> > diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> > index 4be7c13..13244eb 100644
> > --- a/emacs/notmuch-mua.el
> > +++ b/emacs/notmuch-mua.el
> > @@ -95,6 +95,9 @@ list."
> >             (goto-char (point-min))
> >             (setq headers (mail-header-extract)))))
> >        (forward-line 1)
> > +      ;; Original message may contain (malicious) MML tags. We must
> > +      ;; properly quote them in the reply.
> > +      (mml-quote-region (point) (point-max))
>
> Under what circumstances can the (re-search-forward "^$" nil t) above
> this code fail?  If it does fail, is it possible for the (forward-line 1)
> to move past an adversary-controlled line of text and fail to quote that
> line?

It doesn't matter. The quoting is done between point and point-max, and the
message body to cite is extracted right after quoting using: (setq body
(buffer-substring (point) (point-max)))).

BR,
Jani.

[-- Attachment #2: Type: text/html, Size: 2676 bytes --]