From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 08:42:56 2021 Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 12:42:56 +0000 Received: from localhost ([127.0.0.1]:39498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTl2m-00047A-7U for submit@debbugs.gnu.org; Tue, 06 Apr 2021 08:42:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:41588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTl2j-000471-Tc for submit@debbugs.gnu.org; Tue, 06 Apr 2021 08:42:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40830) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTl2j-0004K9-Lr for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:42:53 -0400 Received: from smtp-clients1.isti.cnr.it ([146.48.28.36]:45836) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTl2g-0005bj-Ep for bug-gnu-emacs@gnu.org; Tue, 06 Apr 2021 08:42:53 -0400 Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) (Authenticated sender: pot) by smtp-clients1.isti.cnr.it (Postfix) with ESMTPSA id 63D67B0820 for ; Tue, 6 Apr 2021 14:42:44 +0200 (CEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.0 at smtp-out.isti.cnr.it Message-Id: <87v98z60u4.fsf@tucano.isti.cnr.it> From: =?utf-8?Q?Francesco_Potort=C3=AC?= Date: Tue, 06 Apr 2021 14:42:41 +0200 To: bug-gnu-emacs@gnu.org Subject: 27.1; hardening mail-envelope-from Organization: The GNU project X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Received-SPF: softfail client-ip=146.48.28.36; envelope-from=pot@gnu.org; helo=smtp-clients1.isti.cnr.it X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) in mail-utils.el the function mail-fetch-field thus notes in the doc string: The buffer should be narrowed to just the header, else false matches may be returned from the message body. In fact, both sendmail-send-it and smtp-send-it use mail-envelope-from, which calls mail-fetch-field without narrowing, which in fact causes a false match if: - you forward a message with "From: " at begining of line - message-forward-as-mime is nil - mail-specify-envelope-from is t - mail-envelope-from is 'header In this case, both sendmail-send-it and smptmail-send-it try to see if they should set the From: field and the sender, and both get a false match from mail-envelope-from. Apparently, the problem with sendmail-send-it is corrected later in the code (I don't know where) so the mail is sent correctly, which is why I had never realised this until I started using smtpmail-send-it, which sets a wrong From: header copied from the forwarded message. Hardening mail-envelope-from from sendmail.el by narrowing to the headers, as the doc says, corrects the problem that I observed. (defun mail-envelope-from () "Return the envelope mail address to use when sending mail. This function uses `mail-envelope-from'." (or (if (eq mail-envelope-from 'header) (nth 1 (mail-extract-address-components (save-restriction (save-excursion (goto-char (point-max)) (re-search-backward (concat "^" (regexp-quote mail-header-separator) "\n") nil t) (narrow-to-region (point-min) (point)) (mail-fetch-field "From"))))) mail-envelope-from) user-mail-address)) This introduces a small semantic change for the meaning of the mail-envelope-from variable. Currently, the docs says: If non-nil, designate the envelope-from address when sending mail. This only has an effect if `mail-specify-envelope-from’ is non-nil. The value should be either a string, or the symbol `header’ (in which case the contents of the "From" header of the message being sent is used), or nil (in which case the value of ‘user-mail-address’ is used). The last two lines should be instead: ... being sent is used, if one exists). If the value is nil, or if it is `header' and no "From" header is found in the message, the value of ‘user-mail-address’ is used. From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 07 11:06:11 2021 Received: (at submit) by debbugs.gnu.org; 7 Apr 2021 15:06:11 +0000 Received: from localhost ([127.0.0.1]:45020 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lU9kw-0005Wz-OC for submit@debbugs.gnu.org; Wed, 07 Apr 2021 11:06:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:49670) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lU9kv-0005Ws-Dr for submit@debbugs.gnu.org; Wed, 07 Apr 2021 11:06:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53670) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lU9kv-000538-0E for bug-gnu-emacs@gnu.org; Wed, 07 Apr 2021 11:06:09 -0400 Received: from plesklin7.if1.ehiweb.it ([2a01:b600:1:61::1]:59195) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lU9kp-0008FZ-DP for bug-gnu-emacs@gnu.org; Wed, 07 Apr 2021 11:06:05 -0400 Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) by plesklin7.if1.ehiweb.it (Postfix) with ESMTPSA id 08112100794 for ; Wed, 7 Apr 2021 17:05:58 +0200 (CEST) Message-Id: <871rbm2kyy.fsf@tucano.isti.cnr.it> From: =?utf-8?Q?Francesco_Potort=C3=AC?= Date: Wed, 07 Apr 2021 17:05:57 +0200 To: bug-gnu-emacs@gnu.org In-Reply-To: <87v98z60u4.fsf@tucano.isti.cnr.it> (pot@gnu.org) Subject: Re: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> Organization: The GNU project X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <20210407150558.6363.37929@plesklin7.if1.ehiweb.it> X-PPP-Vhost: potorti.it Received-SPF: softfail client-ip=2a01:b600:1:61::1; envelope-from=pot@gnu.org; helo=plesklin7.if1.ehiweb.it X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) >(defun mail-envelope-from () > "Return the envelope mail address to use when sending mail. >This function uses `mail-envelope-from'." > (or (if (eq mail-envelope-from 'header) > (nth 1 (mail-extract-address-components > (save-restriction > (save-excursion > (goto-char (point-max)) > (re-search-backward > (concat "^" (regexp-quote mail-header-separator) "\n") > nil t) > (narrow-to-region (point-min) (point)) > (mail-fetch-field "From"))))) > mail-envelope-from) > user-mail-address)) This one is better (I had forgotten about mail-header-end) (require 'sendmail) (defun mail-envelope-from () "Return the envelope mail address to use when sending mail. This function uses `mail-envelope-from'." (or (if (eq mail-envelope-from 'header) (let ((from-field (save-restriction (narrow-to-region (point-min) (mail-header-end)) (mail-fetch-field "From")))) (when from-field (nth 1 (mail-extract-address-components from-field)))) mail-envelope-from) user-mail-address)) From debbugs-submit-bounces@debbugs.gnu.org Thu May 06 06:23:04 2021 Received: (at 47616) by debbugs.gnu.org; 6 May 2021 10:23:04 +0000 Received: from localhost ([127.0.0.1]:37243 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leb9s-0006Gu-Cg for submit@debbugs.gnu.org; Thu, 06 May 2021 06:23:04 -0400 Received: from quimby.gnus.org ([95.216.78.240]:46736) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leb9q-0006GK-HA for 47616@debbugs.gnu.org; Thu, 06 May 2021 06:23:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/6hTZoOT8+gFB3a3cLQ4/YihYoGDXBKvUpjvDzWsynA=; b=Rv++jk0j/fGPgSGjQz/SpUf6JN EZHWeI1u7c3ufqj35OGGtIoN1Fu4/N2vbLC0rtg7bcO53dz9KOmAn2ynfvJU3l6rEtuWvpr4/8AU0 9IY+pD6OL3+jNCtyIwehduQ4+OZhcrEOlEybh8SqWmooiJKN4ANA6B8GCzr5iilw6RDk=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1leb9h-0005xR-Sg; Thu, 06 May 2021 12:22:56 +0200 From: Lars Ingebrigtsen To: Francesco =?utf-8?Q?Potort=C3=AC?= Subject: Re: bug#47616: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> X-Now-Playing: Nico's _Do Or Die_: "Saeta" Date: Thu, 06 May 2021 12:22:53 +0200 In-Reply-To: <87v98z60u4.fsf@tucano.isti.cnr.it> ("Francesco =?utf-8?Q?Pot?= =?utf-8?Q?ort=C3=AC=22's?= message of "Tue, 06 Apr 2021 14:42:41 +0200") Message-ID: <87h7jgxite.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Francesco Potortì writes: > Hardening mail-envelope-from from sendmail.el by narrowing to the > headers, as the doc says, corrects the problem that I observed. Thanks -- I don't think we should change mail-envelope-from itself here, because it may conceivably be called from other contexts. Instead the callers in sendmail/smtpmail should be altered to narrow [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47616 Cc: 47616@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Francesco Potort=C3=AC writes: > Hardening mail-envelope-from from sendmail.el by narrowing to the > headers, as the doc says, corrects the problem that I observed. Thanks -- I don't think we should change mail-envelope-from itself here, because it may conceivably be called from other contexts. Instead the callers in sendmail/smtpmail should be altered to narrow to the headers before calling it, and I've now done this in Emacs 28. (This uncovered a similar bug in smtpmail.el, too.) --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Thu May 06 06:23:07 2021 Received: (at control) by debbugs.gnu.org; 6 May 2021 10:23:07 +0000 Received: from localhost ([127.0.0.1]:37246 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leb9v-0006H6-KX for submit@debbugs.gnu.org; Thu, 06 May 2021 06:23:07 -0400 Received: from quimby.gnus.org ([95.216.78.240]:46750) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leb9u-0006GL-5y for control@debbugs.gnu.org; Thu, 06 May 2021 06:23:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+OUKKPI6mFsTi/PeNKVe+iKQCq4coqd3Q8ViGsPMTAA=; b=R5jRagS2BzMtvI8fK8eUph5mpm 0BL4/BNxcLnNcupIoTytRxGNY3gwfYPPGJ2ttzJIGDfIta4kK3twe7XWrVsJQbndxYsGzgOFR7fBv reSIQKDZJLqRxJ9PQ2D6lkZvBx5aMHuEII0JGop1joLeq82fzGCfqo+7DCo83xFbvqhM=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1leb9m-0005xY-PG for control@debbugs.gnu.org; Thu, 06 May 2021 12:23:00 +0200 Date: Thu, 06 May 2021 12:22:58 +0200 Message-Id: <87fsz0xit9.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #47616 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 47616 fixed close 47616 28.1 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 47616 fixed close 47616 28.1 quit From debbugs-submit-bounces@debbugs.gnu.org Thu May 06 08:16:35 2021 Received: (at 47616) by debbugs.gnu.org; 6 May 2021 12:16:35 +0000 Received: from localhost ([127.0.0.1]:37494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lecvj-0005NL-79 for submit@debbugs.gnu.org; Thu, 06 May 2021 08:16:35 -0400 Received: from plesklin7.if2.ehiweb.it ([79.98.45.17]:60850 helo=plesklin7.if1.ehiweb.it) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lecvg-0005JS-1X for 47616@debbugs.gnu.org; Thu, 06 May 2021 08:16:33 -0400 Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) by plesklin7.if1.ehiweb.it (Postfix) with ESMTPSA id C36001004E7; Thu, 6 May 2021 14:16:29 +0200 (CEST) Message-Id: <87a6p8ukf6.fsf@tucano.isti.cnr.it> From: =?utf-8?Q?Francesco_Potort=C3=AC?= Date: Thu, 06 May 2021 14:16:29 +0200 To: Lars Ingebrigtsen In-Reply-To: <87h7jgxite.fsf@gnus.org> (larsi@gnus.org) Subject: Re: bug#47616: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> <87h7jgxite.fsf@gnus.org> Organization: The GNU project X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <20210506121629.29219.85691@plesklin7.if1.ehiweb.it> X-PPP-Vhost: potorti.it X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: >Francesco Potortì writes: >> Hardening mail-envelope-from from sendmail.el by narrowing to the >> headers, as the doc says, corrects the problem that I observed. > >Thanks -- I don't t [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [79.98.45.17 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS X-Debbugs-Envelope-To: 47616 Cc: 47616@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) >Francesco Potortì writes: >> Hardening mail-envelope-from from sendmail.el by narrowing to the >> headers, as the doc says, corrects the problem that I observed. > >Thanks -- I don't think we should change mail-envelope-from itself here, >because it may conceivably be called from other contexts. Instead the >callers in sendmail/smtpmail should be altered to narrow to the headers >before calling it, and I've now done this in Emacs 28. (This uncovered >a similar bug in smtpmail.el, too.) That makes sense, in principle. I would argue for adding a comment to mail-envelope-from stating that since it calls mail-fetch-field it should be called only after narrowing to the headers. Or maybe even adding a note in the doc string, as done in mail-fetch-field. From debbugs-submit-bounces@debbugs.gnu.org Fri May 07 07:17:37 2021 Received: (at 47616) by debbugs.gnu.org; 7 May 2021 11:17:38 +0000 Received: from localhost ([127.0.0.1]:43279 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leyUD-0003OY-OS for submit@debbugs.gnu.org; Fri, 07 May 2021 07:17:37 -0400 Received: from quimby.gnus.org ([95.216.78.240]:59250) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leyUB-0003OS-Sr for 47616@debbugs.gnu.org; Fri, 07 May 2021 07:17:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9fBYMv0u+PlELAXhGUBYO6iS/bOHjaDNP3W8QMqXLqc=; b=gKuNzr/ORucFvSydtitZPZn/1q ZYnMeO4XiGAu5Pz5HPWLjhn4Ve79STaQiAE7FX+OUHDPIwGS9vxqt+idqCfOLiZDfNXnskvJYcHdk 1d6PCMnO0rNMQIkAPpbvoLSk/W1bwcu/bIKaYd/H8GRZatcYdx2/yNHwjPUkPubs00F0=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1leyU3-0006kC-Ss; Fri, 07 May 2021 13:17:30 +0200 From: Lars Ingebrigtsen To: Francesco =?utf-8?Q?Potort=C3=AC?= Subject: Re: bug#47616: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> <87h7jgxite.fsf@gnus.org> <87a6p8ukf6.fsf@tucano.isti.cnr.it> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwAgMAAAAqbBEUAAAAIGNIUk0AAHomAACAhAAA+gAA AIDoAAB1MAAA6mAAADqYAAAXcJy6UTwAAAAMUExURZFsZ76Zl042MP///9rG5v0AAAABYktHRAMR DEzyAAAACXBIWXMAAFxGAABcRgEUlENBAAAAB3RJTUUH5QUHCwwSjDNG/QAAAF50RVh0UmF3IHBy b2ZpbGUgdHlwZSA4YmltAAo4YmltCiAgICAgIDI4CjM4NDI0OTRkMDNlZDAwMDAwMDAwMDAxMDAy NTgwMDAwMDAwMTAwMDEwMjU4MDAwMDAwMDEwMDAxChDG9fMAAAFJSURBVCjPbdDNasJAEAfw6WIl 7ElLc7CnWlqRfQopKnRPaUgEPRfBPsUqCrI3SwvqKQlWNvOUnc33oXtI9sf+Z7IZgHrdNvbAmtBN iMZeIXTo1YqyEoQQwGHGghMC4Ho4KhCOhMnCwiJA41mgxQwjb1PCR+Ub28xCIiY4pHrbjZ6IDtUT PE4HdIIWI4dfEQ3L0d5+U8yGIYCn34DywoK+nMqsR45YSjQFWCyzhjmMwCKGRXGOxsqg/8dWX+vY dnGpYEI/rrALZ2nV2qUZsBIBTWdTYtzx6tYd8CjG6aKCw33X+2hh8DM49V4J7uCCKzk9pALcd/dl jOPP9nm+gF7XXV5w+rA8HxC+Dmwykatd/23u21uLpPELNaJE6UdIIg2cw+b5BmLF9XGlJUQnuFuv E90+Etg+2vc5U0NHUYwKy8GBQSUqICpe4g/cmeV5+ShmDAAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAy MS0wNS0wN1QxMToxMjoxOCswMDowMKJgDgoAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjEtMDUtMDdU MTE6MTI6MTgrMDA6MDDTPba2AAAAAElFTkSuQmCC X-Now-Playing: Mikel Rouse's _Swingers Castle_: "LA Continental" Date: Fri, 07 May 2021 13:17:27 +0200 In-Reply-To: <87a6p8ukf6.fsf@tucano.isti.cnr.it> ("Francesco =?utf-8?Q?Pot?= =?utf-8?Q?ort=C3=AC=22's?= message of "Thu, 06 May 2021 14:16:29 +0200") Message-ID: <877dkavlmg.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Francesco Potortì writes: > That makes sense, in principle. I would argue for adding a comment to > mail-envelope-from stating that since it calls mail-fetch-field it > should be called only after narrowing to the headers. Or [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47616 Cc: 47616@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Francesco Potort=C3=AC writes: > That makes sense, in principle. I would argue for adding a comment to > mail-envelope-from stating that since it calls mail-fetch-field it > should be called only after narrowing to the headers. Or maybe even > adding a note in the doc string, as done in mail-fetch-field. Good idea. I've now mentioned this in the doc string in Emacs 28. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Fri May 07 07:33:21 2021 Received: (at 47616) by debbugs.gnu.org; 7 May 2021 11:33:21 +0000 Received: from localhost ([127.0.0.1]:43357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leyjQ-0005i8-Tv for submit@debbugs.gnu.org; Fri, 07 May 2021 07:33:21 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35732) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leyjP-0005i1-25 for 47616@debbugs.gnu.org; Fri, 07 May 2021 07:33:19 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38600) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1leyjI-0001cm-S1; Fri, 07 May 2021 07:33:12 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:4663 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1leyjI-0002kf-GY; Fri, 07 May 2021 07:33:12 -0400 Date: Fri, 07 May 2021 14:33:03 +0300 Message-Id: <8335uydbio.fsf@gnu.org> From: Eli Zaretskii To: Lars Ingebrigtsen In-Reply-To: <877dkavlmg.fsf@gnus.org> (message from Lars Ingebrigtsen on Fri, 07 May 2021 13:17:27 +0200) Subject: Re: bug#47616: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> <87h7jgxite.fsf@gnus.org> <87a6p8ukf6.fsf@tucano.isti.cnr.it> <877dkavlmg.fsf@gnus.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47616 Cc: pot@gnu.org, 47616@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Lars Ingebrigtsen > Date: Fri, 07 May 2021 13:17:27 +0200 > Cc: 47616@debbugs.gnu.org > > Francesco Potortì writes: > > > That makes sense, in principle. I would argue for adding a comment to > > mail-envelope-from stating that since it calls mail-fetch-field it > > should be called only after narrowing to the headers. Or maybe even > > adding a note in the doc string, as done in mail-fetch-field. > > Good idea. I've now mentioned this in the doc string in Emacs 28. Did you forget to push? From debbugs-submit-bounces@debbugs.gnu.org Fri May 07 08:09:39 2021 Received: (at 47616) by debbugs.gnu.org; 7 May 2021 12:09:39 +0000 Received: from localhost ([127.0.0.1]:43520 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lezIZ-00060Y-Fl for submit@debbugs.gnu.org; Fri, 07 May 2021 08:09:39 -0400 Received: from quimby.gnus.org ([95.216.78.240]:59700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lezIX-00060S-DZ for 47616@debbugs.gnu.org; Fri, 07 May 2021 08:09:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zyBQCfGXF1nZxlL95Ty+eHeYA5OcIF/qV5by34+h0Zs=; b=pavIQq6M3svloRXA/sZe3GNQmz BRob80/WoMkHFXUxgkKlYAAZl3mj1pRb/4upHN/APUqER+cMqyLzIAJ9ExTAAhMgwroQmaUrJn1JA pmk8bwOPNXIcvdO73xQlaoguEOlLoRBNjmvfTheUo+hkvWJxCDuiN1VnYswLLNGwNWSg=; Received: from cm-84.212.220.105.getinternet.no ([84.212.220.105] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lezIO-0007CH-NH; Fri, 07 May 2021 14:09:31 +0200 From: Lars Ingebrigtsen To: Eli Zaretskii Subject: Re: bug#47616: 27.1; hardening mail-envelope-from References: <87v98z60u4.fsf@tucano.isti.cnr.it> <87h7jgxite.fsf@gnus.org> <87a6p8ukf6.fsf@tucano.isti.cnr.it> <877dkavlmg.fsf@gnus.org> <8335uydbio.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwAgMAAAAqbBEUAAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAADFBMVEVPdZFdlbptgIL/ ///0GPqfAAAAAWJLR0QDEQxM8gAAAAd0SU1FB+UFBwwJFvNmYCQAAAGgSURBVCjPLZDNitRAFIVP itTQk9UoqVk3gtD0U5QyAXGVhroF06tZGLDzFBlxQF0pTBp1FcUakvuUnopWsqivzj33D3AHERvE iXSAFeHNSTyfgAeCBCdnXWCoy4GfJIFmaLOaocuX7GeYNqtHJGbls/w/6QiNfLVyEukXVA+tCwUr Sn9CdT1ZwEmXPbv9sEE5Mk4F83ZD4YkJ+hGfdtXa34+YbglAwZK/qOH3hMFKDDkQX9TgJeu/e0ZY +udV4mt5TUjvjS4SpXC3gu7OPC0ij45dQT9mJY/dCM5/KtXcamTYOFV77UJ9kBX6/SJNjVxH7o+6 OAltPAl+LlGTc9IET9BxqB0X4VuHpOfhMXBxrznPqIkTEAwEsf/mmcl7gzdIfYsMMAno9Gvehwcu Z/RLoOLClblHhgqlC7jQGfz9P1NP5XvRWk8wR3pQBOuttAYbzAUXfYPmxtOAy1ciDYqD1ztu0GYA jJmQVyglMxrl0tkZSmxRz4SiZHNmuxa9KkAo9rBvmQ0IZkAN82HKUF5M9KwJeF5M4BzzbgUzVUyN 4S9NJ6JAQJBMMAAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMS0wNS0wN1QxMjowOToyMiswMDowMAw7 Hl4AAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjEtMDUtMDdUMTI6MDk6MjIrMDA6MDB9ZqbiAAAAAElF TkSuQmCC X-Now-Playing: Bark Psychosis's _Nothing Feels-I Know_: "I Know" Date: Fri, 07 May 2021 14:09:28 +0200 In-Reply-To: <8335uydbio.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 07 May 2021 14:33:03 +0300") Message-ID: <87y2cqu4nb.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Eli Zaretskii writes: > Did you forget to push? Yup. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47616 Cc: pot@gnu.org, 47616@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: > Did you forget to push? Yup. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From unknown Sat Jun 14 03:57:21 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 05 Jun 2021 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator