GNU bug report logs -
#55926
29.0.50; message.el does not normalize In-Reply-To field from web links
Previous Next
Reported by: Ignacio Casso <ignaciocasso <at> hotmail.com>
Date: Sun, 12 Jun 2022 11:45:02 UTC
Severity: normal
Tags: moreinfo
Found in version 29.0.50
Fixed in version 29.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
Full log
Message #39 received at 55926 <at> debbugs.gnu.org (full text, mbox):
On 14/06/2022 23:27, Robert Pluim wrote:
>>>>>> On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin said:
>
> Max> Unsure if it is possible to do something really weird through a
> Max> specially crafted mailto: link (by adding some special headers), but
> Max> it looks like it is possible to add something that sender may not like
> Max> to see in its message. So it is better to sanitize input link
> Max> parameters that are used to generate headers.
>
> Iʼm not aware of any code in Emacs that calls `eval' or similar on
> parameters passed to `browse-url' or `message-mailto', but you never
> know. Donʼt use Emacs to connect to your bank's website :-)
Actually I did not thought about eval as elisp. I do not like shell
command in emacsclient-mail.desktop, but this time I wrote about adding
something suspicious to email messages. However there no way to protect
against honeypots as Cc aimed to put sender into spammer blocking lists.
> I think Lars' changes here are enough.
I thank Lars for the fix.
There is e.g. References header for the same purpose of proper
threading, but it may contain list of Message-IDs and there is no
example of improper format at some site.
I expected something more general e.g. similar to file local variables
that may be safe or not and sanitizer map for particular headers. It may
be postponed till next bug report.
This bug report was last modified 2 years and 337 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.