bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from

From: Max Nikulin
Subject: bug#55926: 29.0.50; message.el does not normalize In-Reply-To field from web links
Date: Wed, 15 Jun 2022 23:14:51 +0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 
On 14/06/2022 23:27, Robert Pluim wrote:

On Tue, 14 Jun 2022 23:11:45 +0700, Max Nikulin said:


     Max> Unsure if it is possible to do something really weird through a
     Max> specially crafted mailto: link (by adding some special headers), but
     Max> it looks like it is possible to add something that sender may not like
     Max> to see in its message. So it is better to sanitize input link
     Max> parameters that are used to generate headers.

Iʼm not aware of any code in Emacs that calls `eval' or similar on
parameters passed to `browse-url' or `message-mailto', but you never
know. Donʼt use Emacs to connect to your bank's website :-)
Actually I did not thought about eval as elisp. I do not like shell command in emacsclient-mail.desktop, but this time I wrote about adding something suspicious to email messages. However there no way to protect against honeypots as Cc aimed to put sender into spammer blocking lists. 


I think Lars' changes here are enough.


I thank Lars for the fix.
There is e.g. References header for the same purpose of proper threading, but it may contain list of Message-IDs and there is no example of improper format at some site.
I expected something more general e.g. similar to file local variables that may be safe or not and sanitizer map for particular headers. It may be postponed till next bug report.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]