From: Tomi Ollila <tomi.ollila@iki.fi>
To: Austin Clements <amdragon@MIT.EDU>, notmuch@notmuchmail.org
Subject: Re: [PATCH WIP] emacs: Sanitize authors and subjects in search and show
Date: Sun, 20 Oct 2013 20:49:20 +0300 [thread overview]
Message-ID: <m2ppqzq1cv.fsf@guru.guru-group.fi> (raw)
In-Reply-To: <1381499619-14219-1-git-send-email-amdragon@mit.edu>
On Fri, Oct 11 2013, Austin Clements <amdragon@MIT.EDU> wrote:
> Authors and subjects can contain embedded, encoded control characters
> like "\n" and "\t" that mess up display. Transform control characters
> into spaces everywhere we display them in search and show.
> ---
LGTM.
Tomi
>
> This could obviously use some tests, but I thought I'd get it out
> there to see what people thought or if the behavior should be tweaked.
>
> Of course, I can't guarantee that this is all of the places we display
> untrusted header text. I'm really not sure how to make that guarantee
> (suggestions welcome).
>
> emacs/notmuch-lib.el | 6 ++++++
> emacs/notmuch-show.el | 7 ++++---
> emacs/notmuch.el | 6 ++++--
> 3 files changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/emacs/notmuch-lib.el b/emacs/notmuch-lib.el
> index 58f3313..6541282 100644
> --- a/emacs/notmuch-lib.el
> +++ b/emacs/notmuch-lib.el
> @@ -243,6 +243,12 @@ depending on the value of `notmuch-poll-script'."
> "[No Subject]"
> subject)))
>
> +(defun notmuch-sanitize (str)
> + "Sanitize control character in STR.
> +
> +This includes newlines, tabs, and other funny characters."
> + (replace-regexp-in-string "[[:cntrl:]\x7f\u2028\u2029]+" " " str))
> +
> (defun notmuch-escape-boolean-term (term)
> "Escape a boolean term for use in a query.
>
> diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el
> index 7325792..fa11d98 100644
> --- a/emacs/notmuch-show.el
> +++ b/emacs/notmuch-show.el
> @@ -407,7 +407,8 @@ unchanged ADDRESS if parsing fails."
> message at DEPTH in the current thread."
> (let ((start (point)))
> (insert (notmuch-show-spaces-n (* notmuch-show-indent-messages-width depth))
> - (notmuch-show-clean-address (plist-get headers :From))
> + (notmuch-sanitize
> + (notmuch-show-clean-address (plist-get headers :From)))
> " ("
> date
> ") ("
> @@ -417,7 +418,7 @@ message at DEPTH in the current thread."
>
> (defun notmuch-show-insert-header (header header-value)
> "Insert a single header."
> - (insert header ": " header-value "\n"))
> + (insert header ": " (notmuch-sanitize header-value) "\n"))
>
> (defun notmuch-show-insert-headers (headers)
> "Insert the headers of the current message."
> @@ -1154,7 +1155,7 @@ function is used."
> (jit-lock-register #'notmuch-show-buttonise-links)
>
> ;; Set the header line to the subject of the first message.
> - (setq header-line-format (notmuch-show-strip-re (notmuch-show-get-subject)))
> + (setq header-line-format (notmuch-sanitize (notmuch-show-strip-re (notmuch-show-get-subject))))
>
> (run-hooks 'notmuch-show-hook))))
>
> diff --git a/emacs/notmuch.el b/emacs/notmuch.el
> index c47c6b5..44cd2fd 100644
> --- a/emacs/notmuch.el
> +++ b/emacs/notmuch.el
> @@ -791,11 +791,13 @@ non-authors is found, assume that all of the authors match."
> (plist-get result :total)))
> 'face 'notmuch-search-count)))
> ((string-equal field "subject")
> - (insert (propertize (format format-string (plist-get result :subject))
> + (insert (propertize (format format-string
> + (notmuch-sanitize (plist-get result :subject)))
> 'face 'notmuch-search-subject)))
>
> ((string-equal field "authors")
> - (notmuch-search-insert-authors format-string (plist-get result :authors)))
> + (notmuch-search-insert-authors
> + format-string (notmuch-sanitize (plist-get result :authors))))
>
> ((string-equal field "tags")
> (let ((tags (plist-get result :tags)))
> --
> 1.8.4.rc3
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch
next prev parent reply other threads:[~2013-10-20 17:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 13:53 [PATCH WIP] emacs: Sanitize authors and subjects in search and show Austin Clements
2013-10-11 15:20 ` Jani Nikula
2013-10-20 17:49 ` Tomi Ollila [this message]
2013-10-27 12:49 ` David Bremner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2ppqzq1cv.fsf@guru.guru-group.fi \
--to=tomi.ollila@iki.fi \
--cc=amdragon@MIT.EDU \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).