From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <notmuch-bounces@notmuchmail.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id 0FlQIWpBA2NPGAAAbAwnHQ
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Mon, 22 Aug 2022 10:42:18 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id OHhWIWpBA2PaHgEA9RJhRA
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Mon, 22 Aug 2022 10:42:18 +0200
Received: from mail.notmuchmail.org (yantan.tethera.net [IPv6:2a01:4f9:c011:7a79::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4AE706CCD
	for <larch@yhetil.org>; Mon, 22 Aug 2022 10:42:18 +0200 (CEST)
Received: from yantan.tethera.net (localhost [127.0.0.1])
	by mail.notmuchmail.org (Postfix) with ESMTP id E4B955F370;
	Mon, 22 Aug 2022 08:35:53 +0000 (UTC)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36])
	by mail.notmuchmail.org (Postfix) with ESMTPS id AC59D5E545
	for <notmuch@notmuchmail.org>; Mon, 22 Aug 2022 08:35:51 +0000 (UTC)
Received: by mail-io1-xd36.google.com with SMTP id c4so6883310iof.3
        for <notmuch@notmuchmail.org>; Mon, 22 Aug 2022 01:35:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc;
        bh=9+dqfSvnNnr8l3COddDTCEzKZHSeFTDqXZeguQTg9vY=;
        b=bxomz+Ehc+NgvGSKWhfrPndCNCO1UtvLLEAIPgpFIGvT8g/MTlbOXy/0LNAvlT25bZ
         NK7llL7qyaUR8OBhykk+gHs/w8jhxsyqA7nLypTUSH4eZIeCuilUYW5CwVvj7JlTZ6eG
         lI39s0WRs4UvZEdVRCDa4S+wVyVGZF2arVVbDK/W4O+T7VOxVd+1AZyHSTxzv8XNQfhn
         w06wNSexeJpXj2b7n2PZQ6BakoY+RrQNXOyD7YAlQ0bOji2+UL8aNZKPu0fUPCYrBupd
         eWWi7pm++EONkIOHka/9ItyyHUc4RECWaCXE0+P9OC/U8jbW0ijY9DZIiDH16pUCpduP
         1kqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc;
        bh=9+dqfSvnNnr8l3COddDTCEzKZHSeFTDqXZeguQTg9vY=;
        b=E30pHfC8S/LX7NY44cwaGOe6ii6XjG0BKcadkCOWgUBBFWUNfWczLrL/OtmDpDZ68c
         U3p9ZRYaQDIVEKL9n5cbK1m+VSC2KZ0/1sW9055pwxD/ucA+yu6MUxl5LPEDzBJhB+pj
         3DOiGVnzcvCWBz72SsoyKOr7YIq2bEmgqy/ccZcVfuNctG+a+saU8C0JYH8EiffDT0QY
         E75en0GUjFfbVC2gkVa009ar55DOviarhncVW1MTs4fgpmAmwAdpDawrzfEByDfULnM5
         A/U6vLUZI6E4PbIC0BJrc7jQJrWuQM/BdWtMcklbsIKULzXDci34gVPtt72DgZIcS/xt
         XTsQ==
X-Gm-Message-State: ACgBeo0qEofoyWNYsbUgOMdt+SEAnY4A4x4i99j699YsOQ4N9Bp1Xdmy
	vdzbDaCQzfijz1TIZsvgmH9Hu7oSRcVXR4Swp9B3E7h1mUQ=
X-Google-Smtp-Source: AA6agR4D7+UmUQ5UtTXwLMl/1cqoBP0eg6cnnD3lYNZwL/Blr9UNZneNxWqyX7y/Ot3gz74MFXBrsKwrGZcGhSZ4FNQ=
X-Received: by 2002:a05:6638:dc6:b0:346:ac9c:5dec with SMTP id
 m6-20020a0566380dc600b00346ac9c5decmr9013387jaj.199.1661157350073; Mon, 22
 Aug 2022 01:35:50 -0700 (PDT)
MIME-Version: 1.0
References: <20220822064717.qftn4tr7cs4r2ian@jwilk.net>
In-Reply-To: <20220822064717.qftn4tr7cs4r2ian@jwilk.net>
From: Michael J Gruber <michaeljgruber+grubix+git@gmail.com>
Date: Mon, 22 Aug 2022 10:35:39 +0200
Message-ID: <CAA19uiQDm2wXuh02b2HNxv3tnC_j6yZjdf--roBCq5SpHUhn=g@mail.gmail.com>
Subject: Re: nmweb HTML injection
To: Jakub Wilk <jwilk@jwilk.net>
Message-ID-Hash: P5O7U5RPIZHBPFQ6F6JXKLM2BBFOLF2I
X-Message-ID-Hash: P5O7U5RPIZHBPFQ6F6JXKLM2BBFOLF2I
X-MailFrom: michaeljgruber@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: notmuch@notmuchmail.org
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: "Use and development of the notmuch mail system." <notmuch.notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Owner: <mailto:notmuch-owner@notmuchmail.org>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Subscribe: <mailto:notmuch-join@notmuchmail.org>
List-Unsubscribe: <mailto:notmuch-leave@notmuchmail.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1661157738;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=o0jZIuXP/R9WGOJ5VLXcR8RaeFs5hjgrATIH+tgRh9I=;
	b=JmNlx+tspH6yp9aqSJbKRbMjfzrwgnYVM8FsvM8QYAUOScQGALShQuKT6plw6iQP+gsCmR
	H2tuxeDH+ytmCO2q2qKBMXbn5qPUTQIC4iJH9doQAIIPOwKzMDMIQn+z4T81FvXzlHhBRq
	NUov/u4jKkjLES8tvU+sOm5FnS7zdLRfNDyMljKNdAhIHGB8VezU57RKec+svwT2/kwIub
	iKHghSQhd3m/GD6iXqeLryNBQGj9A0bCQsPHJVBGhjmxveiQKhxY6s920O6/BAEclGXWx/
	+YcbH9GJ0gyBUcISvMQgO6/gezldk7o+rsJGu9GvYmDkTls1GjCbInQItpAIEQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661157738; a=rsa-sha256; cv=none;
	b=LVrNNTyfv2qq6NWmv5B147Az35CZJHKlthhXGkF0Hcd80BF0Mwzv3m3a/WHGBRlfWbywUD
	7tz7dgXBgXlm/8eipMRPSslmkP+qvzAV/J9mG0qSsUXrtOSDCTKybGGJZCf/NLWP81zJwe
	ZhcfCTWUvimElPVVLYqPBbGQJFhiret5bCNNOMtHRE2qLvIc0wIbLEJMxEg5moApGr6VjE
	E8WQNc2nqSlILKlq5AlSAOYN3lJGbyqOq2Mc370l51F5/E/oxVF0f+vPK+YKrG0s6Ih3vw
	PcqQhbIMaP8biA5jL1DxOqaRC4HucJuro0ILQW8S3AXQs/tD1NqeiYB1UEdZiQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("body hash did not verify") header.d=gmail.com header.s=20210112 header.b=bxomz+Eh;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Spam-Score: 6.32
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("body hash did not verify") header.d=gmail.com header.s=20210112 header.b=bxomz+Eh;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Queue-Id: 4AE706CCD
X-Spam-Score: 6.32
X-Migadu-Scanner: scn0.migadu.com
X-TUID: tIPPbAYS95BM

Am Mo., 22. Aug. 2022 um 09:22 Uhr schrieb Jakub Wilk <jwilk@jwilk.net>:
>
> See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate
>
> <code> and <p> from the mail subject was dumped without escaping into HTML.
>

Interesting :)

The body is htmlescape()ed, but the subject header is used as is. I
should be escaped too.

Michael