-
-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect more header fields #4227
Conversation
Protecting However, reading protected fields wasn't as easy (which is why I had to cat(1) the message to test it). Would you mind pointing to some functions I could use, or look at, @flatcap? Thanks! ;-) |
0bed7b7
to
9053b87
Compare
All the functions for dealing with You'll probably want You may also need to consider "IDN". History: The address library is fairly chaotic. Since the fork, we've:
Nobody's analysed the lifetime of an Address, so there's a lot of duplication. |
On Mon, Apr 01, 2024 at 02:42:05AM GMT, Richard Russon wrote:
> some functions I could use, or look at
All the functions for dealing with `struct Address` and `struct AddressList` live in https://github.com/neomutt/neomutt/blob/main/address/address.c
I'll try to find the code that prints the headers in the pager; I think
it's that what I need.
You'll probably want `mutt_addrlist_equal()`, but that won't cope if the lists are ordered differently.
`AddressList` is a linked-list, so sorting them would be a pain.
Nah, I decided that I don't care if they mismatch. At least for now.
Maybe when I manage to print them, I change my mind.
You may also need to consider "[IDN](https://en.wikipedia.org/wiki/Internationalized_domain_name)".
We have `mutt_addrlist_to_intl()` and `mutt_addrlist_to_local()`.
Maybe...
This email is sent with protected In-Reply-To for the first time, BTW.
Let's see if it works. :)
---
History: The address library is fairly chaotic.
Since the fork, we've:
- sorted out the dependencies to create `libaddress`
- upgraded the linked list to use `TAILQ` (`mutt/queue.h`)
- upgraded the `char *` strings to `struct Buffer`s
- documented everything (that we know)
- written some unit tests
Nobody's analysed the lifetime of an Address, so there's a lot of duplication.
Hmmm.
…
|
Weee! :-) |
6b84a76
to
641584c
Compare
To and Cc protected headers being read:
|
a089388
to
9bcfe82
Compare
6236c62
to
a2a1eb5
Compare
Here's a test for it:
This behavior LGTM, and I think is both necessary and sufficient to fix the two security vulnerabilities that I reported recently. I'll now start documenting the feature. |
Hmm, now I remember some thoughts I had yesterday: This is necessary, but not sufficient. We should also make sure neomutt(1) doesn't use the non-protected fields. But I don't want to do that in this PR, since it needs some design decisions that are a bit more complex. Let's do that in a separate PR. |
v2 changes:
|
1e7fded
to
9a0fcce
Compare
v2b changes:
|
9a0fcce
to
d0010ae
Compare
v2c changes:
|
v14 changes:
|
v14b changes:
|
v14c changes:
|
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <neomutt#4223> Link: <neomutt#4226> Link: <neomutt#4227> Link: <neomutt#4236> Link: <neomutt#4237> Cc: Richard Russon <[email protected]> Reviewed-by: наб <[email protected]> Cc: Pietro Cerutti <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
v14d changes:
|
... except Bcc, for obvious reasons. There are several attacks that are possible if the To, Cc, and similar header fields are not protected. One of them is: - The metadata of a signed+encrypted message can be modified (without decrypting it), to add a malicious recipient. Subsequent replies to the thread will likely also encrypt to the malicious recipient, disclosing secret data. Read the links below for a more detailed explanation of the problem. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
This function copies a src ListHead at the tail of a dst ListHead. This is similar to mutt_addrlist_copy(), but for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
Signed-off-by: Alejandro Colomar <[email protected]>
Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
Move some code out of a conditional, to add support for other protected headers in the following commits. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
…ists Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
This function writes a list to a buffer. It is similar to mutt_addrlist_write(), but simpler, and for ListHead. Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
Signed-off-by: Alejandro Colomar <[email protected]>
…fields Link: <neomutt#4223> Link: <neomutt#4226> Cc: Richard Russon <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
mutt(1) has been protecting it for several years already, and it is a user-facing header field, so it is one of the fields that are recommended to be protected. It's less critical than address lists or In-Reply-To, but it's still good to do it. Signed-off-by: Alejandro Colomar <[email protected]>
Signed-off-by: Alejandro Colomar <[email protected]>
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <neomutt#4223> Link: <neomutt#4226> Link: <neomutt#4227> Link: <neomutt#4236> Link: <neomutt#4237> Cc: Richard Russon <[email protected]> Reviewed-by: наб <[email protected]> Cc: Pietro Cerutti <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
|
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <neomutt#4223> Link: <neomutt#4226> Link: <neomutt#4227> Link: <neomutt#4236> Link: <neomutt#4237> Cc: Richard Russon <[email protected]> Reviewed-by: наб <[email protected]> Cc: Pietro Cerutti <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
Protected header fields are part of the crypto message, which means the sender considers them part of the important data, and should not be carelessly weeded. If the user want to do it, allow them via this variable, but default to not weeding them. Link: <#4223> Link: <#4226> Link: <#4227> Link: <#4236> Link: <#4237> Cc: Richard Russon <[email protected]> Reviewed-by: наб <[email protected]> Cc: Pietro Cerutti <[email protected]> Signed-off-by: Alejandro Colomar <[email protected]>
Thanks! I'll start using |
What does this PR do?
Protect more header fields.
Screenshots (if relevant)
Does this PR meet the acceptance criteria? (This is just a reminder for you,
this section can be removed if you fulfill it.)
Documentation created/updated (you have to edit
docs/manual.xml.head
for that)
Not yet.
All builds and tests are passing
It works, partially. It protects the headers when sending. It doesn't read the protected headers in received mails, yet.
Added doxygen code documentation
syntax
N/A. Maybe later I need to do something about it.
Code follows the style guide\
I hope so.
What are the relevant issue numbers?
Revisions:
v15
v15 (by @flatcap ) changes:Merge