[PATCH] emacs: Quote MML tags in replies

Pieter Praet pieter at praet.org
Thu Jan 19 14:23:29 PST 2012


On Thu, 19 Jan 2012 13:43:09 -0500, Aaron Ecay <aaronecay at gmail.com> wrote:
> Emacs message-mode uses certain text strings to indicate how to attach
> files to outgoing mail.  If these are present in the text of an email,
> and a user is tricked into replying to the message, the user’s files
> could be exposed.
> ---
> 
> To demonstrate this, open a reply to this message then remove the
> exclamation marks after the hash marks below.  Create a file in your
> home directory called passwd.  Then press C-u M-x mml-preview.  A
> (possibly base64-encoded) version of your ~/passwd file will replace
> the following lines:
> 
> <#!part type="application/octet-stream" filename="~/passwd"
> disposition=attachment description=foo>
> <#!/part>
> 
> It works equally well (and more dangerously) with /etc/passwd, but I
> didn't use that filename here to avoid the danger of someone
> accidentally attaching their /etc/passwd to a reply in this thread!
> 
>  emacs/notmuch-mua.el |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
> index d8ab822..c25c6b9 100644
> --- a/emacs/notmuch-mua.el
> +++ b/emacs/notmuch-mua.el
> @@ -115,7 +115,8 @@ list."
>      (push-mark))
>    (set-buffer-modified-p nil)
>  
> -  (message-goto-body))
> +  (message-goto-body)
> +  (mml-quote-region (point) (mark)))
>  
>  (defun notmuch-mua-forward-message ()
>    (message-forward)
> -- 
> 1.7.8.3
> 
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> http://notmuchmail.org/mailman/listinfo/notmuch

Wow, nice catch!  You've just earned yourself a raise!

An urgent +1 !


### OT:
For some reason, `mml-quote-region' explicitly re-quotes
already quoted MML tags:

  "<#!*/?\\(multipart\\|part\\|external\\|mml\\)"

Why is that ?


Peace

-- 
Pieter


More information about the notmuch mailing list