[PATCH 2/2] emacs: Quote MML tags in replies
Aaron Ecay
aaronecay at gmail.com
Sat Jan 28 22:07:08 PST 2012
Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail. If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.
---
NEWS | 18 ++++++++++++++++++
emacs/notmuch-mua.el | 3 ++-
test/emacs | 1 -
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 2acdce5..c8b90c7 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,24 @@ Compatibility with GMime 2.6
However, a bug in current GMime 2.6 causes notmuch not to report
signatures where the signer key is unavailable (GNOME bug 668085).
+Notmuch 0.11.1 (2012-xx-xx)
+===========================
+
+Emacs Interface
+---------------
+
+Quote MML tags in replies
+
+ MML tags are text codes that Emacs uses to indicate attachments
+ (among other things) in messages being composed. The Emacs
+ interface did not quote MML tags in the quoted text of a reply. If
+ a user could be tricked into replying to a maliciously formatted
+ message and not editing out the MML tags from the quoted text, this
+ could lead to files from the user's machine being attached to the
+ outgoing message. The Emacs interface now quotes these tags in
+ reply text, so that they cannot have an effect on the outgoing
+ message.
+
Notmuch 0.11 (2012-01-13)
=========================
diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 023645e..32c376d 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -116,7 +116,8 @@ list."
(push-mark))
(set-buffer-modified-p nil)
- (message-goto-body))
+ (message-goto-body)
+ (mml-quote-region (point) (mark)))
(defun notmuch-mua-forward-message ()
(message-forward)
diff --git a/test/emacs b/test/emacs
index a57513a..affcca4 100755
--- a/test/emacs
+++ b/test/emacs
@@ -274,7 +274,6 @@ EOF
test_expect_equal_file OUTPUT EXPECTED
test_begin_subtest "Quote MML tags on reply"
-test_subtest_known_broken
add_message '[from]="1337 h4xor <test at test.com>"' \
'[to]="Unsuspecting rube <luser at securityhole.com>"' \
'[subject]="hackety hack hack"' \
--
1.7.9
More information about the notmuch
mailing list