[PATCH] emacs: Quote MML tags in replies

[PATCH] emacs: Quote MML tags in replies

[Aaron Ecay]

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.
---

To demonstrate this, open a reply to this message then remove the
exclamation marks after the hash marks below.  Create a file in your
home directory called passwd.  Then press C-u M-x mml-preview.  A
(possibly base64-encoded) version of your ~/passwd file will replace
the following lines:

<#!part type="application/octet-stream" filename="~/passwd"
disposition=attachment description=foo>
<#!/part>

It works equally well (and more dangerously) with /etc/passwd, but I
didn't use that filename here to avoid the danger of someone
accidentally attaching their /etc/passwd to a reply in this thread!

 emacs/notmuch-mua.el |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index d8ab822..c25c6b9 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -115,7 +115,8 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  (mml-quote-region (point) (mark)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
-- 
1.7.8.3

Re: [PATCH] emacs: Quote MML tags in replies

[Pieter Praet]

On Thu, 19 Jan 2012 13:43:09 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> Emacs message-mode uses certain text strings to indicate how to attach
> files to outgoing mail.  If these are present in the text of an email,
> and a user is tricked into replying to the message, the user’s files
> could be exposed.
> ---
> 
> To demonstrate this, open a reply to this message then remove the
> exclamation marks after the hash marks below.  Create a file in your
> home directory called passwd.  Then press C-u M-x mml-preview.  A
> (possibly base64-encoded) version of your ~/passwd file will replace
> the following lines:
> 
> <#!part type="application/octet-stream" filename="~/passwd"
> disposition=attachment description=foo>
> <#!/part>
> 
> It works equally well (and more dangerously) with /etc/passwd, but I
> didn't use that filename here to avoid the danger of someone
> accidentally attaching their /etc/passwd to a reply in this thread!
> 
>  emacs/notmuch-mua.el |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index d8ab822..c25c6b9 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -115,7 +115,8 @@ list."
>      (push-mark))
>    (set-buffer-modified-p nil)
>  
> -  (message-goto-body))
> +  (message-goto-body)
> +  (mml-quote-region (point) (mark)))
>  
>  (defun notmuch-mua-forward-message ()
>    (message-forward)
> -- 
> 1.7.8.3
> 
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch

Wow, nice catch!  You've just earned yourself a raise!

An urgent +1 !


### OT:
For some reason, `mml-quote-region' explicitly re-quotes
already quoted MML tags:

  "<#!*/?\\(multipart\\|part\\|external\\|mml\\)"

Why is that ?


Peace

-- 
Pieter

Re: [PATCH] emacs: Quote MML tags in replies

[Austin Clements]

Quoth Pieter Praet on Jan 19 at 11:23 pm:
> On Thu, 19 Jan 2012 13:43:09 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> > Emacs message-mode uses certain text strings to indicate how to attach
> > files to outgoing mail.  If these are present in the text of an email,
> > and a user is tricked into replying to the message, the user’s files
> > could be exposed.
> > ---
> > 
> > To demonstrate this, open a reply to this message then remove the
> > exclamation marks after the hash marks below.  Create a file in your
> > home directory called passwd.  Then press C-u M-x mml-preview.  A
> > (possibly base64-encoded) version of your ~/passwd file will replace
> > the following lines:
> > 
> > <#!part type="application/octet-stream" filename="~/passwd"
> > disposition=attachment description=foo>
> > <#!/part>
> > 
> > It works equally well (and more dangerously) with /etc/passwd, but I
> > didn't use that filename here to avoid the danger of someone
> > accidentally attaching their /etc/passwd to a reply in this thread!
> > 
> >  emacs/notmuch-mua.el |    3 ++-
> >  1 files changed, 2 insertions(+), 1 deletions(-)
> > 
> > diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> > index d8ab822..c25c6b9 100644
> > --- a/emacs/notmuch-mua.el
> > +++ b/emacs/notmuch-mua.el
> > @@ -115,7 +115,8 @@ list."
> >      (push-mark))
> >    (set-buffer-modified-p nil)
> >  
> > -  (message-goto-body))
> > +  (message-goto-body)
> > +  (mml-quote-region (point) (mark)))
> >  
> >  (defun notmuch-mua-forward-message ()
> >    (message-forward)
> 
> Wow, nice catch!  You've just earned yourself a raise!

Indeed.

> An urgent +1 !
> 
> 
> ### OT:
> For some reason, `mml-quote-region' explicitly re-quotes
> already quoted MML tags:
> 
>   "<#!*/?\\(multipart\\|part\\|external\\|mml\\)"
> 
> Why is that ?

Probably so the transformation is invertible, though as far as I can
tell there's no mml-unquote-region.

Re: [PATCH] emacs: Quote MML tags in replies

[Aaron Ecay]

On Thu, 19 Jan 2012 17:46:31 -0500, Austin Clements <amdragon@MIT.EDU> wrote:
> > ### OT:
> > For some reason, `mml-quote-region' explicitly re-quotes
> > already quoted MML tags:
> > 
> >   "<#!*/?\\(multipart\\|part\\|external\\|mml\\)"
> > 
> > Why is that ?
> 
> Probably so the transformation is invertible, though as far as I can
> tell there's no mml-unquote-region.

Sending the message (or doing M-x mml-preview) undoes the quoting.  So
if the original message contains an already-quoted tag, constructing the
reply double-quotes it, and sending the reply will produce the original
single-quoted tag again.

-- 
Aaron Ecay

Re: [PATCH] emacs: Quote MML tags in replies

[Pieter Praet]

On Thu, 19 Jan 2012 17:52:23 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> On Thu, 19 Jan 2012 17:46:31 -0500, Austin Clements <amdragon@MIT.EDU> wrote:
> > > ### OT:
> > > For some reason, `mml-quote-region' explicitly re-quotes
> > > already quoted MML tags:
> > > 
> > >   "<#!*/?\\(multipart\\|part\\|external\\|mml\\)"
> > > 
> > > Why is that ?
> > 
> > Probably so the transformation is invertible, though as far as I can
> > tell there's no mml-unquote-region.
> 
> Sending the message (or doing M-x mml-preview) undoes the quoting.  So
> if the original message contains an already-quoted tag, constructing the
> reply double-quotes it, and sending the reply will produce the original
> single-quoted tag again.
> 

Thanks!

This list just keeps on giving;  Free education, I tell ya...


> -- 
> Aaron Ecay


Peace

-- 
Pieter

Re: [PATCH] emacs: Quote MML tags in replies

[Austin Clements]

LGTM and I think it could go in despite my two comments below.

Quoth Aaron Ecay on Jan 19 at  1:43 pm:
> Emacs message-mode uses certain text strings to indicate how to attach
> files to outgoing mail.  If these are present in the text of an email,
> and a user is tricked into replying to the message, the user’s files
> could be exposed.
> ---
> 
> To demonstrate this, open a reply to this message then remove the
> exclamation marks after the hash marks below.  Create a file in your
> home directory called passwd.  Then press C-u M-x mml-preview.  A
> (possibly base64-encoded) version of your ~/passwd file will replace
> the following lines:
> 
> <#!part type="application/octet-stream" filename="~/passwd"
> disposition=attachment description=foo>
> <#!/part>
> 
> It works equally well (and more dangerously) with /etc/passwd, but I
> didn't use that filename here to avoid the danger of someone
> accidentally attaching their /etc/passwd to a reply in this thread!
> 
>  emacs/notmuch-mua.el |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index d8ab822..c25c6b9 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -115,7 +115,8 @@ list."
>      (push-mark))
>    (set-buffer-modified-p nil)
>  
> -  (message-goto-body))
> +  (message-goto-body)
> +  (mml-quote-region (point) (mark)))

Did you consider using point-max instead of mark?  IIRC, that mark was
very recently introduced which, perhaps irrationally, makes it seem
less future-proof to me.

>  
>  (defun notmuch-mua-forward-message ()
>    (message-forward)

Speaking of future-proofing, it would be good to have a test.

Re: [PATCH] emacs: Quote MML tags in replies

[Aaron Ecay]

On Thu, 19 Jan 2012 17:48:42 -0500, Austin Clements <amdragon@MIT.EDU> wrote:
> Did you consider using point-max instead of mark?  IIRC, that mark was
> very recently introduced which, perhaps irrationally, makes it seem
> less future-proof to me.

Well, if the patch goes in and someone changes the code so that it no
longer sets the mark (in the same way), they will be the one breaking
stuff, and they’ll have to come up with the fix themself.  Using point-max
would include the signature in the quoting as well.  It would probably be
fairly odd to want to put an MML tag in one’s signature, but that doesn’t
mean that we should break that usage.

> 
> >  
> >  (defun notmuch-mua-forward-message ()
> >    (message-forward)
> 
> Speaking of future-proofing, it would be good to have a test.

It would.  ;)  I’ll work on one.

-- 
Aaron Ecay

Re: [PATCH] emacs: Quote MML tags in replies

[Pieter Praet]

On Thu, 19 Jan 2012 17:56:16 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> On Thu, 19 Jan 2012 17:48:42 -0500, Austin Clements <amdragon@MIT.EDU> wrote:
> > Did you consider using point-max instead of mark?  IIRC, that mark was
> > very recently introduced which, perhaps irrationally, makes it seem
> > less future-proof to me.
> 
> Well, if the patch goes in and someone changes the code so that it no
> longer sets the mark (in the same way), they will be the one breaking
> stuff, and they’ll have to come up with the fix themself.  [...]

True that.


> [...] Using point-max
> would include the signature in the quoting as well.  It would probably be
> fairly odd to want to put an MML tag in one’s signature, but that doesn’t
> mean that we should break that usage.
> 

So, would I be right to assume MML tags in signatures are never
evaluated to begin with?  Otherwise, there would still be a security
hole, no?


> > 
> > >  
> > >  (defun notmuch-mua-forward-message ()
> > >    (message-forward)
> > 
> > Speaking of future-proofing, it would be good to have a test.
> 
> It would.  ;)  I’ll work on one.
> 

Thanks!

These might save you some time:
  id:"1310313335-4159-1-git-send-email-pieter@praet.org"


> -- 
> Aaron Ecay
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch


Peace

-- 
Pieter

Re: [PATCH] emacs: Quote MML tags in replies

[Aaron Ecay]

On Fri, 20 Jan 2012 00:21:08 +0100, Pieter Praet <pieter@praet.org> wrote:
> So, would I be right to assume MML tags in signatures are never
> evaluated to begin with?  Otherwise, there would still be a security
> hole, no?

I am thinking of MML tags that a user puts in their own signature.
If that case is a security hole, then the hole is in the user’s brain
and not in notmuch.  :)

-- 
Aaron Ecay

Re: [PATCH] emacs: Quote MML tags in replies

[Pieter Praet]

On Thu, 19 Jan 2012 22:26:02 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> On Fri, 20 Jan 2012 00:21:08 +0100, Pieter Praet <pieter@praet.org> wrote:
> > So, would I be right to assume MML tags in signatures are never
> > evaluated to begin with?  Otherwise, there would still be a security
> > hole, no?
> 
> I am thinking of MML tags that a user puts in their own signature.
> If that case is a security hole, then the hole is in the user’s brain
> and not in notmuch.  :)
> 

Ah, right...  I didn't bother checking what the mark's position would be,
so assumed we were talking about the signature in the *quoted* message.

Won't happen again :)

> -- 
> Aaron Ecay


Peace

-- 
Pieter

Re: [PATCH] emacs: Quote MML tags in replies

[Austin Clements]

Quoth Aaron Ecay on Jan 19 at  5:56 pm:
> On Thu, 19 Jan 2012 17:48:42 -0500, Austin Clements <amdragon@MIT.EDU> wrote:
> > >  
> > >  (defun notmuch-mua-forward-message ()
> > >    (message-forward)
> > 
> > Speaking of future-proofing, it would be good to have a test.
> 
> It would.  ;)  I’ll work on one.

Were you planning to roll a new version of this patch with a test?

[PATCH 1/2] emacs: Add tests for quoting of MML tags in replies

[Aaron Ecay]

The test is broken at this time; the next commit will introduce a fix.
---

Thanks for the reminder, Austin.  Things got hectic, and it took a
little bludgeoning to get the test suite to behave.  I *think* I got
it, although I am by no means confident.  Specifically, I am seeing
some unrelated(?) test failures in the emacs suite, so I'd appreciate
it if someone with a well-functioning test suite tried out these
patches before they are pushed, to be sure I didn't break anything.

I tried to follow the "first patch introduces a failing test, second
patch fixes it" convention.

 test/emacs                           |   14 ++++++++++++++
 test/emacs.expected-output/quote-mml |    9 +++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)
 create mode 100644 test/emacs.expected-output/quote-mml

diff --git a/test/emacs b/test/emacs
index 8ca4c8a..a57513a 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,20 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags on reply"
+test_subtest_known_broken
+add_message '[from]="1337 h4xor <test@test.com>"' \
+            '[to]="Unsuspecting rube <luser@securityhole.com>"' \
+            '[subject]="hackety hack hack"' \
+            '[body]="<#part type="application/octet-stream" filename="foo" disposition=attachment>
+<#/part>"' \
+            '[id]="test-mml-quoting@msg.id"'
+test_emacs "(notmuch-show \"id:test-mml-quoting@msg.id\")
+            (notmuch-show-reply-sender)
+            (test-output)"
+test_expect_equal_file OUTPUT "$EXPECTED/quote-mml"
+
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
diff --git a/test/emacs.expected-output/quote-mml b/test/emacs.expected-output/quote-mml
new file mode 100644
index 0000000..01bd2ca
--- /dev/null
+++ b/test/emacs.expected-output/quote-mml
@@ -0,0 +1,9 @@
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 1337 h4xor <test@test.com>
+Subject: Re: hackety hack hack
+In-Reply-To: <test-mml-quoting@msg.id>
+Fcc: /home/aecay/development/notmuch/test/tmp.emacs/mail/sent
+--text follows this line--
+On Fri, 05 Jan 2001 15:43:57 +0000, 1337 h4xor <test@test.com> wrote:
+> <#!part type=application/octet-stream filename=foo disposition=attachment>
+> <#!/part>
-- 
1.7.9

[PATCH 2/2] emacs: Quote MML tags in replies

[Aaron Ecay]

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.
---
 NEWS                 |   18 ++++++++++++++++++
 emacs/notmuch-mua.el |    3 ++-
 test/emacs           |    1 -
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 2acdce5..c8b90c7 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,24 @@ Compatibility with GMime 2.6
   However, a bug in current GMime 2.6 causes notmuch not to report
   signatures where the signer key is unavailable (GNOME bug 668085).
 
+Notmuch 0.11.1 (2012-xx-xx)
+===========================
+
+Emacs Interface
+---------------
+
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.  If
+  a user could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text, this
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they cannot have an effect on the outgoing
+  message.
+
 Notmuch 0.11 (2012-01-13)
 =========================
 
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 023645e..32c376d 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -116,7 +116,8 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  (mml-quote-region (point) (mark)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index a57513a..affcca4 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
 test_expect_equal_file OUTPUT EXPECTED
 
 test_begin_subtest "Quote MML tags on reply"
-test_subtest_known_broken
 add_message '[from]="1337 h4xor <test@test.com>"' \
             '[to]="Unsuspecting rube <luser@securityhole.com>"' \
             '[subject]="hackety hack hack"' \
-- 
1.7.9

Re: [PATCH 2/2] emacs: Quote MML tags in replies

[Tomi Ollila]

On Sun, 29 Jan 2012 01:07:08 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> Emacs message-mode uses certain text strings to indicate how to attach
> files to outgoing mail.  If these are present in the text of an email,
> and a user is tricked into replying to the message, the user’s files
> could be exposed.
> ---

[ ... ]

>  
> -  (message-goto-body))
> +  (message-goto-body)
> +  (mml-quote-region (point) (mark)))

As asked before, comment why mmm-quote-region is needed 
and why (mark) is used instead of (point-max) is there.
We know the reasons but future viewers of the code will
wonder a while...

Tomi

Re: [PATCH 1/2] emacs: Add tests for quoting of MML tags in replies

[David Bremner]

On Sun, 29 Jan 2012 01:07:07 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> The test is broken at this time; the next commit will introduce a fix.
> ---

Hi Aaron.

Applied to master test fails for me as follows (after the second patch
is applied as well).

	 In-Reply-To: <test-mml-quoting@msg.id>
	-Fcc: /home/aecay/development/notmuch/test/tmp.emacs/mail/sent
	+Fcc: /home/bremner/software/upstream/notmuch/test/tmp.emacs/mail/sent

I guess it should force Fcc somehow in the test; didn't have time to dig
further.

Do you mind making another round, against the release branch this time
and taking the commit message comments into account?

d

Re: [PATCH] emacs: Quote MML tags in replies

[David Edmondson]

[-- Attachment #1: Type: text/plain, Size: 353 bytes --]

On Thu, 19 Jan 2012 13:43:09 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> -  (message-goto-body))
> +  (message-goto-body)
> +  (mml-quote-region (point) (mark)))

Obviously good. It would be nice to have a comment about why it's `mark'
and not `point-max'. In fact, it would be good to have a comment
explaining why `mml-quote-region' is required.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [PATCH] emacs: Quote MML tags in replies

[David Bremner]

On Thu, 19 Jan 2012 13:43:09 -0500, Aaron Ecay <aaronecay@gmail.com> wrote:
> Emacs message-mode uses certain text strings to indicate how to attach
> files to outgoing mail.  If these are present in the text of an email,
> and a user is tricked into replying to the message, the user’s files
> could be exposed.
> ---

Can you include a NEWS patch against release with next version? We
should probably roll 0.11.1 with this fix.

d

emacs: quote MML tags in replies

[Dmitry Kurochkin]

Hi Aaron.

Thanks for your work!  I took the liberty to do some cleanups for your
patch.  Below is a detailed list of changes.

Hope this helps.

Changes since v2:

* change patch names to be consistent with others:

  - s/emacs:/test:/ for the test patch

  - lower case the first word after colon in the patch title

* polish NEWS wording, move it to 0.12 section

* add comment to `mml-quote-region' call, as suggested by Tomi [1]

* fix and clean up the test:

  - set `notmuch-fcc-dirs' to nil to avoid adding the Fcc header,
    otherwise it breaks the test on other systems as pointed by
    David [2]

  - use default values for add_message parameters where possible

  - use a sane subject value in add_message

  - use shorter MML tag as produced by (mml-insert-part)

  - indenting and other minor cleanups

Regards,
  Dmitry

[1] id:"m2wr89ioos.fsf@guru.guru-group.fi"
[2] id:"87ehugzycb.fsf@zancas.localnet"

[PATCH v3 1/2] test: add tests for quoting of MML tags in replies

[Dmitry Kurochkin]

From: Aaron Ecay <aaronecay@gmail.com>

The test is broken at this time; the next commit will introduce a fix.
---
 test/emacs                                    |   12 ++++++++++++
 test/emacs.expected-output/quote-mml-in-reply |    7 +++++++
 2 files changed, 19 insertions(+), 0 deletions(-)
 create mode 100644 test/emacs.expected-output/quote-mml-in-reply

diff --git a/test/emacs b/test/emacs
index 8ca4c8a..a3f4893 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,18 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags in reply"
+test_subtest_known_broken
+message_id='test-emacs-mml-quoting@message.id'
+add_message [id]="$message_id" \
+	    "[subject]='$test_subtest_name'" \
+	    '[body]="<#part disposition=inline>"'
+test_emacs "(let ((notmuch-fcc-dirs nil))
+	      (notmuch-show \"id:$message_id\")
+	      (notmuch-show-reply)
+	      (test-output))"
+test_expect_equal_file OUTPUT "$EXPECTED/quote-mml-in-reply"
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
diff --git a/test/emacs.expected-output/quote-mml-in-reply b/test/emacs.expected-output/quote-mml-in-reply
new file mode 100644
index 0000000..adec92a
--- /dev/null
+++ b/test/emacs.expected-output/quote-mml-in-reply
@@ -0,0 +1,7 @@
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 
+Subject: Re: Quote MML tags in reply
+In-Reply-To: <test-emacs-mml-quoting@message.id>
+--text follows this line--
+On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+> <#!part disposition=inline>
-- 
1.7.9

[PATCH v4 1/2] test: add tests for quoting of MML tags in replies

[Pieter Praet]

From: Aaron Ecay <aaronecay@gmail.com>

The test is broken at this time; the next commit will introduce a fix.

Edited-by: Pieter Praet <pieter@praet.org>:
  Moved expected output into the actual test and fixed "Fcc:" line.

---
 test/emacs |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/test/emacs b/test/emacs
index 8ca4c8a..1fdd3a5 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,27 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags in reply"
+test_subtest_known_broken
+message_id='test-emacs-mml-quoting@message.id'
+add_message [id]="$message_id" \
+	    "[subject]='$test_subtest_name'" \
+	    '[body]="<#part disposition=inline>"'
+test_emacs "(notmuch-show \"id:$message_id\")
+	      (notmuch-show-reply)
+	      (test-output)"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 
+Subject: Re: Quote MML tags in reply
+In-Reply-To: <test-emacs-mml-quoting@message.id>
+Fcc: $(pwd)/mail/sent
+--text follows this line--
+On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+> <#!part disposition=inline>
+EOF
+test_expect_equal_file OUTPUT EXPECTED
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
-- 
1.7.8.1

[PATCH v5 1/2] test: add tests for quoting of MML tags in replies

[Pieter Praet]

From: Aaron Ecay <aaronecay@gmail.com>

The test is broken at this time; the next commit will introduce a fix.

Edited-by: Pieter Praet <pieter@praet.org>:
  Moved expected output into the actual test and fixed "Fcc:" line.
---
 test/emacs |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/test/emacs b/test/emacs
index 8ca4c8a..17129b7 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,27 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags in reply"
+test_subtest_known_broken
+message_id='test-emacs-mml-quoting@message.id'
+add_message [id]="$message_id" \
+	    "[subject]='$test_subtest_name'" \
+	    '[body]="<#part disposition=inline>"'
+test_emacs "(notmuch-show \"id:$message_id\")
+	      (notmuch-show-reply)
+	      (test-output)"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 
+Subject: Re: Quote MML tags in reply
+In-Reply-To: <test-emacs-mml-quoting@message.id>
+Fcc: ${MAIL_DIR}/sent
+--text follows this line--
+On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+> <#!part disposition=inline>
+EOF
+test_expect_equal_file OUTPUT EXPECTED
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
-- 
1.7.8.1

[PATCH v3 2/2] emacs: quote MML tags in replies

[Dmitry Kurochkin]

From: Aaron Ecay <aaronecay@gmail.com>

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.
---
 NEWS                 |   12 ++++++++++++
 emacs/notmuch-mua.el |    7 ++++++-
 test/emacs           |    1 -
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 2acdce5..ef26b8c 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,17 @@ Reply to sender
   and search modes, 'r' has been bound to reply to sender, replacing
   reply to all, which now has key binding 'R'.
 
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.
+  User could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text.  This
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they do not effect outgoing messages.
+
 Library changes
 ---------------
 
@@ -56,6 +67,7 @@ Compatibility with GMime 2.6
   However, a bug in current GMime 2.6 causes notmuch not to report
   signatures where the signer key is unavailable (GNOME bug 668085).
 
+
 Notmuch 0.11 (2012-01-13)
 =========================
 
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 023645e..4be7c13 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -116,7 +116,12 @@ list."
     (push-mark))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  ;; Original message may contain (malicious) MML tags.  We must
+  ;; properly quote them in the reply.  Note that using `point-max'
+  ;; instead of `mark' here is wrong.  The buffer may include user's
+  ;; signature which should not be MML-quoted.
+  (mml-quote-region (point) (mark)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index a3f4893..b9f7d15 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
 test_expect_equal_file OUTPUT EXPECTED
 
 test_begin_subtest "Quote MML tags in reply"
-test_subtest_known_broken
 message_id='test-emacs-mml-quoting@message.id'
 add_message [id]="$message_id" \
 	    "[subject]='$test_subtest_name'" \
-- 
1.7.9

Re: emacs: quote MML tags in replies

[Pieter Praet]

On Wed,  1 Feb 2012 06:49:39 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> Hi Aaron.
> 
> Thanks for your work!  I took the liberty to do some cleanups for your
> patch.  Below is a detailed list of changes.
> 

Thanks to the both of you!


> Hope this helps.
> 
> Changes since v2:
> 
> * change patch names to be consistent with others:
> 
>   - s/emacs:/test:/ for the test patch
> 
>   - lower case the first word after colon in the patch title
> 
> * polish NEWS wording, move it to 0.12 section
> 
> * add comment to `mml-quote-region' call, as suggested by Tomi [1]
> 
> * fix and clean up the test:
> 
>   - set `notmuch-fcc-dirs' to nil to avoid adding the Fcc header,
>     otherwise it breaks the test on other systems as pointed by
>     David [2]
> 

Could also have been avoided by adding the expected result inline,
and using "Fcc: $(pwd)/mail/sent".  I'll send an updated patch to
that effect.


>   - use default values for add_message parameters where possible
> 
>   - use a sane subject value in add_message
> 
>   - use shorter MML tag as produced by (mml-insert-part)
> 
>   - indenting and other minor cleanups
> 
> Regards,
>   Dmitry
> 
> [1] id:"m2wr89ioos.fsf@guru.guru-group.fi"
> [2] id:"87ehugzycb.fsf@zancas.localnet"
> 
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch

Despite my comment re Fcc, both LGTM.


Peace

-- 
Pieter

Re: emacs: quote MML tags in replies

[Dmitry Kurochkin]

On Wed, 01 Feb 2012 14:51:37 +0100, Pieter Praet <pieter@praet.org> wrote:
> On Wed,  1 Feb 2012 06:49:39 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> > Hi Aaron.
> > 
> > Thanks for your work!  I took the liberty to do some cleanups for your
> > patch.  Below is a detailed list of changes.
> > 
> 
> Thanks to the both of you!
> 
> 
> > Hope this helps.
> > 
> > Changes since v2:
> > 
> > * change patch names to be consistent with others:
> > 
> >   - s/emacs:/test:/ for the test patch
> > 
> >   - lower case the first word after colon in the patch title
> > 
> > * polish NEWS wording, move it to 0.12 section
> > 
> > * add comment to `mml-quote-region' call, as suggested by Tomi [1]
> > 
> > * fix and clean up the test:
> > 
> >   - set `notmuch-fcc-dirs' to nil to avoid adding the Fcc header,
> >     otherwise it breaks the test on other systems as pointed by
> >     David [2]
> > 
> 
> Could also have been avoided by adding the expected result inline,
> and using "Fcc: $(pwd)/mail/sent".  I'll send an updated patch to
> that effect.
> 

I do not understand how this is better.  But please do not use $(pwd)
here.  I know that other tests do that in the same case, but it is
wrong.  There is $MAIL_DIR variable for this.  See "notmuch-fcc-dirs set
to a string" test for an example.

Regards,
  Dmitry

> 
> >   - use default values for add_message parameters where possible
> > 
> >   - use a sane subject value in add_message
> > 
> >   - use shorter MML tag as produced by (mml-insert-part)
> > 
> >   - indenting and other minor cleanups
> > 
> > Regards,
> >   Dmitry
> > 
> > [1] id:"m2wr89ioos.fsf@guru.guru-group.fi"
> > [2] id:"87ehugzycb.fsf@zancas.localnet"
> > 
> > _______________________________________________
> > notmuch mailing list
> > notmuch@notmuchmail.org
> > http://notmuchmail.org/mailman/listinfo/notmuch
> 
> Despite my comment re Fcc, both LGTM.
> 
> 
> Peace
> 
> -- 
> Pieter

Re: emacs: quote MML tags in replies

[Pieter Praet]

On Wed, 01 Feb 2012 18:18:55 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> On Wed, 01 Feb 2012 14:51:37 +0100, Pieter Praet <pieter@praet.org> wrote:
> > On Wed,  1 Feb 2012 06:49:39 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> > > Hi Aaron.
> > > 
> > > Thanks for your work!  I took the liberty to do some cleanups for your
> > > patch.  Below is a detailed list of changes.
> > > 
> > 
> > Thanks to the both of you!
> > 
> > 
> > > Hope this helps.
> > > 
> > > Changes since v2:
> > > 
> > > * change patch names to be consistent with others:
> > > 
> > >   - s/emacs:/test:/ for the test patch
> > > 
> > >   - lower case the first word after colon in the patch title
> > > 
> > > * polish NEWS wording, move it to 0.12 section
> > > 
> > > * add comment to `mml-quote-region' call, as suggested by Tomi [1]
> > > 
> > > * fix and clean up the test:
> > > 
> > >   - set `notmuch-fcc-dirs' to nil to avoid adding the Fcc header,
> > >     otherwise it breaks the test on other systems as pointed by
> > >     David [2]
> > > 
> > 
> > Could also have been avoided by adding the expected result inline,
> > and using "Fcc: $(pwd)/mail/sent".  I'll send an updated patch to
> > that effect.
> > 
> 
> I do not understand how this is better.  [...]

Well, the expected output is only 7 lines, so we might as well keep it
inside the test itself (of which the advantages need no reiteration),
and doing so would allow us to get the Fcc path in a more future-proof way;
`notmuch-fcc-dirs' is more susceptible to deprecation than $MAIL_DIR et al.


> [...] But please do not use $(pwd)
> here.  I know that other tests do that in the same case, but it is
> wrong.  There is $MAIL_DIR variable for this.  See "notmuch-fcc-dirs set
> to a string" test for an example.
> 

Good point!  Patch follows.


> Regards,
>   Dmitry
> 
> > 
> > >   - use default values for add_message parameters where possible
> > > 
> > >   - use a sane subject value in add_message
> > > 
> > >   - use shorter MML tag as produced by (mml-insert-part)
> > > 
> > >   - indenting and other minor cleanups
> > > 
> > > Regards,
> > >   Dmitry
> > > 
> > > [1] id:"m2wr89ioos.fsf@guru.guru-group.fi"
> > > [2] id:"87ehugzycb.fsf@zancas.localnet"
> > > 
> > > _______________________________________________
> > > notmuch mailing list
> > > notmuch@notmuchmail.org
> > > http://notmuchmail.org/mailman/listinfo/notmuch
> > 
> > Despite my comment re Fcc, both LGTM.
> > 
> > 
> > Peace
> > 
> > -- 
> > Pieter


Peace

-- 
Pieter

[PATCH] test: replace occurrences of $PWD with vars that are more stable

[Pieter Praet]

Thanks to Dmitry Kurochkin <dmitry.kurochkin@gmail.com>
for pointing this out:  id:"87d39ymyb4.fsf@gmail.com"
---
 test/emacs |    2 +-
 test/new   |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/emacs b/test/emacs
index 17129b7..9c9d0b4 100755
--- a/test/emacs
+++ b/test/emacs
@@ -266,7 +266,7 @@ From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: user@example.com
 Subject: Re: Testing message sent via SMTP
 In-Reply-To: <XXX>
-Fcc: $(pwd)/mail/sent
+Fcc: ${MAIL_DIR}/sent
 --text follows this line--
 On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
 > This is a test that messages are sent via SMTP
diff --git a/test/new b/test/new
index 49f390d..1b24c84 100755
--- a/test/new
+++ b/test/new
@@ -117,10 +117,10 @@ test_expect_equal "$output" "No new mail. Removed 3 messages."
 test_begin_subtest "New symlink to directory"
 
 rm -rf "${MAIL_DIR}"/.notmuch
-mv "${MAIL_DIR}" "$PWD"/actual_maildir
+mv "${MAIL_DIR}" "${TMP_DIRECTORY}"/actual_maildir
 
 mkdir "${MAIL_DIR}"
-ln -s "$PWD"/actual_maildir "${MAIL_DIR}"/symlink
+ln -s "${TMP_DIRECTORY}"/actual_maildir "${MAIL_DIR}"/symlink
 
 output=$(NOTMUCH_NEW)
 test_expect_equal "$output" "Added 1 new message to the database."
@@ -128,7 +128,7 @@ test_expect_equal "$output" "Added 1 new message to the database."
 
 test_begin_subtest "New symlink to a file"
 generate_message
-external_msg_filename="$PWD"/external/"$(basename "$gen_msg_filename")"
+external_msg_filename="${TMP_DIRECTORY}"/external/"$(basename "$gen_msg_filename")"
 mkdir -p "$(dirname "$external_msg_filename")"
 mv "$gen_msg_filename" "$external_msg_filename"
 ln -s "$external_msg_filename" "$gen_msg_filename"
-- 
1.7.8.1

Re: [PATCH] test: replace occurrences of $PWD with vars that are more stable

[Dmitry Kurochkin]

On Wed,  1 Feb 2012 21:37:21 +0100, Pieter Praet <pieter@praet.org> wrote:
> Thanks to Dmitry Kurochkin <dmitry.kurochkin@gmail.com>
> for pointing this out:  id:"87d39ymyb4.fsf@gmail.com"
> ---

Looks good to me.  Minor comments below.

>  test/emacs |    2 +-
>  test/new   |    6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/test/emacs b/test/emacs
> index 17129b7..9c9d0b4 100755
> --- a/test/emacs
> +++ b/test/emacs
> @@ -266,7 +266,7 @@ From: Notmuch Test Suite <test_suite@notmuchmail.org>
>  To: user@example.com
>  Subject: Re: Testing message sent via SMTP
>  In-Reply-To: <XXX>
> -Fcc: $(pwd)/mail/sent
> +Fcc: ${MAIL_DIR}/sent
>  --text follows this line--
>  On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
>  > This is a test that messages are sent via SMTP
> diff --git a/test/new b/test/new
> index 49f390d..1b24c84 100755
> --- a/test/new
> +++ b/test/new
> @@ -117,10 +117,10 @@ test_expect_equal "$output" "No new mail. Removed 3 messages."
>  test_begin_subtest "New symlink to directory"
>  
>  rm -rf "${MAIL_DIR}"/.notmuch
> -mv "${MAIL_DIR}" "$PWD"/actual_maildir
> +mv "${MAIL_DIR}" "${TMP_DIRECTORY}"/actual_maildir

I would prefer to put the whole second argument inside the quotes, not
just the variable.

>  
>  mkdir "${MAIL_DIR}"
> -ln -s "$PWD"/actual_maildir "${MAIL_DIR}"/symlink
> +ln -s "${TMP_DIRECTORY}"/actual_maildir "${MAIL_DIR}"/symlink

Same.

>  
>  output=$(NOTMUCH_NEW)
>  test_expect_equal "$output" "Added 1 new message to the database."
> @@ -128,7 +128,7 @@ test_expect_equal "$output" "Added 1 new message to the database."
>  
>  test_begin_subtest "New symlink to a file"
>  generate_message
> -external_msg_filename="$PWD"/external/"$(basename "$gen_msg_filename")"
> +external_msg_filename="${TMP_DIRECTORY}"/external/"$(basename "$gen_msg_filename")"

And here as well.  The quotes around "/external/" can just be removed.

Regards,
  Dmitry

>  mkdir -p "$(dirname "$external_msg_filename")"
>  mv "$gen_msg_filename" "$external_msg_filename"
>  ln -s "$external_msg_filename" "$gen_msg_filename"
> -- 
> 1.7.8.1

Re: [PATCH] test: replace occurrences of $PWD with vars that are more stable

[Pieter Praet]

On Thu, 02 Feb 2012 03:09:39 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> [...]
> I would prefer to put the whole second argument inside the quotes, not
> just the variable.
> [...]
> 

I felt the same way initially, but then decided to leave the extra
quotes in place because the resulting fontification helps differentiate
between the vars and actual strings.

I assume that was the reason for the extra quotes' presence in the first
place?  I might be wrong though...

So with that in mind, do I submit a new patch without the quotes, or leave
it as it is?

> Regards,
>   Dmitry
> 
> >  mkdir -p "$(dirname "$external_msg_filename")"
> >  mv "$gen_msg_filename" "$external_msg_filename"
> >  ln -s "$external_msg_filename" "$gen_msg_filename"
> > -- 
> > 1.7.8.1


Peace

-- 
Pieter

Re: [PATCH] test: replace occurrences of $PWD with vars that are more stable

[Dmitry Kurochkin]

On Fri, 03 Feb 2012 11:20:58 +0100, Pieter Praet <pieter@praet.org> wrote:
> On Thu, 02 Feb 2012 03:09:39 +0400, Dmitry Kurochkin <dmitry.kurochkin@gmail.com> wrote:
> > [...]
> > I would prefer to put the whole second argument inside the quotes, not
> > just the variable.
> > [...]
> > 
> 
> I felt the same way initially, but then decided to leave the extra
> quotes in place because the resulting fontification helps differentiate
> between the vars and actual strings.
> 

I still prefer it without quotes.

> I assume that was the reason for the extra quotes' presence in the first
> place?  I might be wrong though...
> 

Interesting theory.

> So with that in mind, do I submit a new patch without the quotes, or leave
> it as it is?
> 

I would not insist on another patch, taking into account that it was
this way already.

Regards,
  Dmitry

> > Regards,
> >   Dmitry
> > 
> > >  mkdir -p "$(dirname "$external_msg_filename")"
> > >  mv "$gen_msg_filename" "$external_msg_filename"
> > >  ln -s "$external_msg_filename" "$gen_msg_filename"
> > > -- 
> > > 1.7.8.1
> 
> 
> Peace
> 
> -- 
> Pieter

Re: [PATCH] test: replace occurrences of $PWD with vars that are more stable

[David Bremner]

On Wed,  1 Feb 2012 21:37:21 +0100, Pieter Praet <pieter@praet.org> wrote:
> Thanks to Dmitry Kurochkin <dmitry.kurochkin@gmail.com>
> for pointing this out:  id:"87d39ymyb4.fsf@gmail.com"

Pushed.

d

(no subject)

[David Bremner]

I rebased these against branch release (and copied a comment from
aaron's email), but the test fails there, as does the reply within emacs test.

FAIL   Reply within emacs
	--- emacs.24.expected	2012-02-02 03:55:14.000000000 +0000
	+++ emacs.24.output	2012-02-02 03:55:14.000000000 +0000
	@@ -1,8 +1,4 @@
	 From: Notmuch Test Suite <test_suite@notmuchmail.org>
	-To: user@example.com
	-Subject: Re: Testing message sent via SMTP
	-In-Reply-To: <XXX>
	-Fcc: /home/bremner/software/upstream/notmuch/test/tmp.emacs/mail/sent
	+To: 
	+Subject: 
	 --text follows this line--
	-On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
	-> This is a test that messages are sent via SMTP
*ERROR*: Wrong type argument: integer-or-marker-p, nil
 FAIL   Quote MML tags in reply
	--- emacs.25.expected	2012-02-02 03:55:15.000000000 +0000
	+++ emacs.25.output	2012-02-02 03:55:15.000000000 +0000
	@@ -1,7 +1,4 @@
	 From: Notmuch Test Suite <test_suite@notmuchmail.org>
	 To: 
	-Subject: Re: Quote MML tags in reply
	-In-Reply-To: <test-emacs-mml-quoting@message.id>
	+Subject: 
	 --text follows this line--
	-On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
	-> <#!part disposition=inline>
*ERROR*: Wrong type argument: integer-or-marker-p, nil

[PATCH v4 1/2] test: add tests for quoting of MML tags in replies

[David Bremner]

From: Aaron Ecay <aaronecay@gmail.com>

The test is broken at this time; the next commit will introduce a fix.
---
 test/emacs                                    |   12 ++++++++++++
 test/emacs.expected-output/quote-mml-in-reply |    7 +++++++
 2 files changed, 19 insertions(+), 0 deletions(-)
 create mode 100644 test/emacs.expected-output/quote-mml-in-reply

diff --git a/test/emacs b/test/emacs
index f36718e..2a2ce28 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,18 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags in reply"
+test_subtest_known_broken
+message_id='test-emacs-mml-quoting@message.id'
+add_message [id]="$message_id" \
+	    "[subject]='$test_subtest_name'" \
+	    '[body]="<#part disposition=inline>"'
+test_emacs "(let ((notmuch-fcc-dirs nil))
+	      (notmuch-show \"id:$message_id\")
+	      (notmuch-show-reply)
+	      (test-output))"
+test_expect_equal_file OUTPUT "$EXPECTED/quote-mml-in-reply"
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
diff --git a/test/emacs.expected-output/quote-mml-in-reply b/test/emacs.expected-output/quote-mml-in-reply
new file mode 100644
index 0000000..adec92a
--- /dev/null
+++ b/test/emacs.expected-output/quote-mml-in-reply
@@ -0,0 +1,7 @@
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 
+Subject: Re: Quote MML tags in reply
+In-Reply-To: <test-emacs-mml-quoting@message.id>
+--text follows this line--
+On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+> <#!part disposition=inline>
-- 
1.7.8.3

[PATCH v4 2/2] emacs: quote MML tags in replies

[David Bremner]

From: Aaron Ecay <aaronecay@gmail.com>

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.

Using point-max would include the signature in the quoting as well.
It would probably be fairly odd to want to put an MML tag in one’s
signature, but that doesn’t mean that we should break that usage.
---
 NEWS                 |   11 +++++++++++
 emacs/notmuch-mua.el |    7 ++++++-
 test/emacs           |    1 -
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3d2c2a8..a089e67 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,17 @@ Fix error handling in python bindings.
   exceptions to indicate the error condition. Any subsequent calls
   into libnotmuch caused segmentation faults.
 
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.
+  User could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text.  This
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they do not effect outgoing messages.
+
 
 Notmuch 0.11 (2012-01-13)
 =========================
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 7114e48..768b693 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -111,7 +111,12 @@ list."
     (insert body))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  ;; Original message may contain (malicious) MML tags.  We must
+  ;; properly quote them in the reply.  Note that using `point-max'
+  ;; instead of `mark' here is wrong.  The buffer may include user's
+  ;; signature which should not be MML-quoted.
+  (mml-quote-region (point) (mark)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index 2a2ce28..de100c5 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
 test_expect_equal_file OUTPUT EXPECTED
 
 test_begin_subtest "Quote MML tags in reply"
-test_subtest_known_broken
 message_id='test-emacs-mml-quoting@message.id'
 add_message [id]="$message_id" \
 	    "[subject]='$test_subtest_name'" \
-- 
1.7.8.3

Re:

[Pieter Praet]

On Thu,  2 Feb 2012 00:01:31 -0400, David Bremner <david@tethera.net> wrote:
> I rebased these against branch release (and copied a comment from
> aaron's email), but the test fails there, as does the reply within emacs test.
> 

Same issue here.


That mark was introduced in commit 03146f20, so isn't available in the
release branch yet.  Let's just use `point-max' instead, merge 'release'
into 'master', and change it back to `mark' there.  It's better to break
MML tags in the user's sig for a little while than leave this security
hole wide open.


Same issue wrt commit 66ecd906;  the citation line should still be:
  On Tue, 05 Jan 2001 15:43:57 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
instead of:
  On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:


Fixed patches follow, including a post-merge fix.


> FAIL   Reply within emacs
> 	--- emacs.24.expected	2012-02-02 03:55:14.000000000 +0000
> 	+++ emacs.24.output	2012-02-02 03:55:14.000000000 +0000
> 	@@ -1,8 +1,4 @@
> 	 From: Notmuch Test Suite <test_suite@notmuchmail.org>
> 	-To: user@example.com
> 	-Subject: Re: Testing message sent via SMTP
> 	-In-Reply-To: <XXX>
> 	-Fcc: /home/bremner/software/upstream/notmuch/test/tmp.emacs/mail/sent
> 	+To: 
> 	+Subject: 
> 	 --text follows this line--
> 	-On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
> 	-> This is a test that messages are sent via SMTP
> *ERROR*: Wrong type argument: integer-or-marker-p, nil
>  FAIL   Quote MML tags in reply
> 	--- emacs.25.expected	2012-02-02 03:55:15.000000000 +0000
> 	+++ emacs.25.output	2012-02-02 03:55:15.000000000 +0000
> 	@@ -1,7 +1,4 @@
> 	 From: Notmuch Test Suite <test_suite@notmuchmail.org>
> 	 To: 
> 	-Subject: Re: Quote MML tags in reply
> 	-In-Reply-To: <test-emacs-mml-quoting@message.id>
> 	+Subject: 
> 	 --text follows this line--
> 	-On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
> 	-> <#!part disposition=inline>
> *ERROR*: Wrong type argument: integer-or-marker-p, nil
> 
> 
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch


Peace

-- 
Pieter

[PATCH v6 1/3] test: add tests for quoting of MML tags in replies

[Pieter Praet]

From: Aaron Ecay <aaronecay@gmail.com>

The test is broken at this time; the next commit will introduce a fix.

Edited-by: Pieter Praet <pieter@praet.org>:
  Rebased to release branch, moved expected output into the actual test,
  and fixed "Fcc:" line.
---
 test/emacs |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/test/emacs b/test/emacs
index f36718e..db8e4ad 100755
--- a/test/emacs
+++ b/test/emacs
@@ -273,6 +273,27 @@ On 01 Jan 2000 12:00:00 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> w
 EOF
 test_expect_equal_file OUTPUT EXPECTED
 
+test_begin_subtest "Quote MML tags in reply"
+test_subtest_known_broken
+message_id='test-emacs-mml-quoting@message.id'
+add_message [id]="$message_id" \
+	    "[subject]='$test_subtest_name'" \
+	    '[body]="<#part disposition=inline>"'
+test_emacs "(notmuch-show \"id:$message_id\")
+	      (notmuch-show-reply)
+	      (test-output)"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite@notmuchmail.org>
+To: 
+Subject: Re: Quote MML tags in reply
+In-Reply-To: <test-emacs-mml-quoting@message.id>
+Fcc: ${MAIL_DIR}/sent
+--text follows this line--
+On Tue, 05 Jan 2001 15:43:57 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+> <#!part disposition=inline>
+EOF
+test_expect_equal_file OUTPUT EXPECTED
+
 test_begin_subtest "Save attachment from within emacs using notmuch-show-save-attachments"
 # save as archive to test that Emacs does not re-compress .gz
 test_emacs '(let ((standard-input "\"attachment1.gz\""))
-- 
1.7.8.1

[PATCH v6 2/3] emacs: quote MML tags in replies

[Pieter Praet]

From: Aaron Ecay <aaronecay@gmail.com>

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.

Edited-by: Pieter Praet <pieter@praet.org>:  Rebased to release branch.
---
 NEWS                 |   11 +++++++++++
 emacs/notmuch-mua.el |    7 ++++++-
 test/emacs           |    1 -
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3d2c2a8..a089e67 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,17 @@ Fix error handling in python bindings.
   exceptions to indicate the error condition. Any subsequent calls
   into libnotmuch caused segmentation faults.
 
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.
+  User could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text.  This
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they do not effect outgoing messages.
+
 
 Notmuch 0.11 (2012-01-13)
 =========================
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 7114e48..3e93d7c 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -111,7 +111,12 @@ list."
     (insert body))
   (set-buffer-modified-p nil)
 
-  (message-goto-body))
+  (message-goto-body)
+  ;; Original message may contain (malicious) MML tags.  We must
+  ;; properly quote them in the reply.  Note that using `point-max'
+  ;; instead of `mark' here is wrong.  The buffer may include user's
+  ;; signature which should not be MML-quoted.
+  (mml-quote-region (point) (point-max)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index db8e4ad..2d066ed 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
 test_expect_equal_file OUTPUT EXPECTED
 
 test_begin_subtest "Quote MML tags in reply"
-test_subtest_known_broken
 message_id='test-emacs-mml-quoting@message.id'
 add_message [id]="$message_id" \
 	    "[subject]='$test_subtest_name'" \
-- 
1.7.8.1

[PATCH v6 3/3] post-merge fixes

[Pieter Praet]

---
 emacs/notmuch-mua.el |    2 +-
 test/emacs           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 3e93d7c..768b693 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -116,7 +116,7 @@ list."
   ;; properly quote them in the reply.  Note that using `point-max'
   ;; instead of `mark' here is wrong.  The buffer may include user's
   ;; signature which should not be MML-quoted.
-  (mml-quote-region (point) (point-max)))
+  (mml-quote-region (point) (mark)))
 
 (defun notmuch-mua-forward-message ()
   (message-forward)
diff --git a/test/emacs b/test/emacs
index 2d066ed..f4955fe 100755
--- a/test/emacs
+++ b/test/emacs
@@ -288,7 +288,7 @@ Subject: Re: Quote MML tags in reply
 In-Reply-To: <test-emacs-mml-quoting@message.id>
 Fcc: ${MAIL_DIR}/sent
 --text follows this line--
-On Tue, 05 Jan 2001 15:43:57 -0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
+On Fri, 05 Jan 2001 15:43:57 +0000, Notmuch Test Suite <test_suite@notmuchmail.org> wrote:
 > <#!part disposition=inline>
 EOF
 test_expect_equal_file OUTPUT EXPECTED
-- 
1.7.8.1

Re: [PATCH v6 3/3] post-merge fixes

[David Bremner]

On Fri,  3 Feb 2012 11:24:09 +0100, Pieter Praet <pieter@praet.org> wrote:
> ---
>  emacs/notmuch-mua.el |    2 +-
>  test/emacs           |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

split into two commits and pushed,

d

Re: MML Quoting patches.

[David Bremner]

On Fri, 03 Feb 2012 11:22:25 +0100, Pieter Praet <pieter@praet.org> wrote:

> That mark was introduced in commit 03146f20, so isn't available in the
> release branch yet.  Let's just use `point-max' instead, merge 'release'
> into 'master', and change it back to `mark' there.  It's better to break
> MML tags in the user's sig for a little while than leave this security
> hole wide open.

Thanks Pieter.

I have pushed these both to release.

I'll have a look at the 3rd patch when I merge into master (after
release is tagged).  At a glance, I suspect it would be better off to
make it real commit with a real commit message, since it does change
functionality.

d

Re: MML Quoting patches.

[Pieter Praet]

On Fri, 03 Feb 2012 08:54:48 -0400, David Bremner <david@tethera.net> wrote:
> On Fri, 03 Feb 2012 11:22:25 +0100, Pieter Praet <pieter@praet.org> wrote:
> 
> > That mark was introduced in commit 03146f20, so isn't available in the
> > release branch yet.  Let's just use `point-max' instead, merge 'release'
> > into 'master', and change it back to `mark' there.  It's better to break
> > MML tags in the user's sig for a little while than leave this security
> > hole wide open.
> 
> Thanks Pieter.
> 
> I have pushed these both to release.
> 

Thanks to you as well!


> I'll have a look at the 3rd patch when I merge into master (after
> release is tagged).  At a glance, I suspect it would be better off to
> make it real commit with a real commit message, since it does change
> functionality.
> 

Agreed.


> d
> 


Peace

-- 
Pieter