GNU bug report logs - #55926
29.0.50; message.el does not normalize In-Reply-To field from web links

Previous Next

Package: emacs;

Reported by: Ignacio Casso <ignaciocasso <at> hotmail.com>

Date: Sun, 12 Jun 2022 11:45:02 UTC

Severity: normal

Tags: moreinfo

Found in version 29.0.50

Fixed in version 29.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #36 received at 55926 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Max Nikulin <manikulin <at> gmail.com>
Cc: larsi <at> gnus.org, Eli Zaretskii <eliz <at> gnu.org>, 55926 <at> debbugs.gnu.org,
 ignaciocasso <at> hotmail.com
Subject: Re: bug#55926: 29.0.50; message.el does not normalize In-Reply-To
 field from web links
Date: Tue, 14 Jun 2022 18:27:40 +0200

>>>>> On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin <manikulin <at> gmail.com> said:

    Max> Unsure if it is possible to do something really weird through a
    Max> specially crafted mailto: link (by adding some special headers), but
    Max> it looks like it is possible to add something that sender may not like
    Max> to see in its message. So it is better to sanitize input link
    Max> parameters that are used to generate headers.

Iʼm not aware of any code in Emacs that calls `eval' or similar on
parameters passed to `browse-url' or `message-mailto', but you never
know. Donʼt use Emacs to connect to your bank's website :-)

I think Lars' changes here are enough.

Robert
--
This bug report was last modified 2 years and 338 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.