|
From: | Max Nikulin |
Subject: | bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links |
Date: | Wed, 15 Jun 2022 23:14:51 +0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 |
On 14/06/2022 23:27, Robert Pluim wrote:
On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin said:Max> Unsure if it is possible to do something really weird through a Max> specially crafted mailto: link (by adding some special headers), but Max> it looks like it is possible to add something that sender may not like Max> to see in its message. So it is better to sanitize input link Max> parameters that are used to generate headers. Iʼm not aware of any code in Emacs that calls `eval' or similar on parameters passed to `browse-url' or `message-mailto', but you never know. Donʼt use Emacs to connect to your bank's website :-)
Actually I did not thought about eval as elisp. I do not like shell command in emacsclient-mail.desktop, but this time I wrote about adding something suspicious to email messages. However there no way to protect against honeypots as Cc aimed to put sender into spammer blocking lists.
I think Lars' changes here are enough.
I thank Lars for the fix.There is e.g. References header for the same purpose of proper threading, but it may contain list of Message-IDs and there is no example of improper format at some site.
I expected something more general e.g. similar to file local variables that may be safe or not and sanitizer map for particular headers. It may be postponed till next bug report.
[Prev in Thread] | Current Thread | [Next in Thread] |