[PATCH v2] Omit User-Agent: header by default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Aug 8 16:35:17 PDT 2016 

The User-Agent: header can be fun and interesting, but it also leaks
quite a bit of information about the user and their software stack.

This represents a potential security risk (attackers can target the
particular stack) and also an anonymity risk (a user trying to
preserve their anonymity by sending mail from a non-associated account
might reveal quite a lot of information if their choice of mail user
agent is exposed).

This change also avoids hiding the User-Agent header by default, so
that people who decide they want to send it will at least see it (and
can edit it if they want to) before sending.

It makes sense to have safer defaults.
---
 emacs/notmuch-mua.el |  4 ++--
 test/T310-emacs.sh   | 16 ----------------
 2 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 1ca8056..f3a4e5a 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -62,7 +62,7 @@ disabled: this would result in an incorrect behavior."))
 		 (const :tag "Compose mail in a new window"  new-window)
 		 (const :tag "Compose mail in a new frame"   new-frame)))
 
-(defcustom notmuch-mua-user-agent-function 'notmuch-mua-user-agent-full
+(defcustom notmuch-mua-user-agent-function nil
   "Function used to generate a `User-Agent:' string. If this is
 `nil' then no `User-Agent:' will be generated."
   :type '(choice (const :tag "No user agent string" nil)
@@ -73,7 +73,7 @@ disabled: this would result in an incorrect behavior."))
 			   :value notmuch-mua-user-agent-full))
   :group 'notmuch-send)
 
-(defcustom notmuch-mua-hidden-headers '("^User-Agent:")
+(defcustom notmuch-mua-hidden-headers nil
   "Headers that are added to the `message-mode' hidden headers
 list."
   :type '(repeat string)
diff --git a/test/T310-emacs.sh b/test/T310-emacs.sh
index 65c1728..202fc3b 100755
--- a/test/T310-emacs.sh
+++ b/test/T310-emacs.sh
@@ -193,7 +193,6 @@ emacs_deliver_message \
      (kill-whole-line)
      (insert "To: user at example.com\n")'
 sed \
-    -e s',^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' \
     -e s',^Message-ID: <.*>$,Message-ID: <XXX>,' \
     -e s',^\(Content-Type: text/plain\); charset=us-ascii$,\1,' < sent_message >OUTPUT
 cat <<EOF >EXPECTED
@@ -201,7 +200,6 @@ From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: user at example.com
 Subject: Testing message sent via SMTP
 Date: 01 Jan 2000 12:00:00 -0000
-User-Agent: Notmuch/XXX Emacs/XXX
 Message-ID: <XXX>
 MIME-Version: 1.0
 Content-Type: text/plain
@@ -310,7 +308,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (test-output))'
 sed -i -e 's/^In-Reply-To: <.*>$/In-Reply-To: <XXX>/' OUTPUT
 sed -i -e 's/^References: <.*>$/References: <XXX>/' OUTPUT
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: user at example.com
@@ -318,7 +315,6 @@ Subject: Re: Testing message sent via SMTP
 In-Reply-To: <XXX>
 Fcc: ${MAIL_DIR}/sent
 References: <XXX>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite at notmuchmail.org> writes:
 
@@ -335,7 +331,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-test-wait)
 	    (notmuch-search-reply-to-thread)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite_other at notmuchmail.org>
 To: Sender <sender at example.com>
@@ -343,7 +338,6 @@ Subject: Re: ${test_subtest_name}
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Sender <sender at example.com> writes:
 
@@ -361,7 +355,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-test-wait)
 	    (notmuch-search-reply-to-thread)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: Sender <sender at example.com>, someone at example.com
@@ -369,7 +362,6 @@ Subject: Re: ${test_subtest_name}
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Sender <sender at example.com> writes:
 
@@ -382,7 +374,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (notmuch-show "id:20091118002059.067214ed at hikari")
 		(notmuch-show-reply)
 		(test-output))'
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: Adrian Perez de Castro <aperez at igalia.com>, notmuch at notmuchmail.org
@@ -390,7 +381,6 @@ Subject: Re: [notmuch] Introducing myself
 In-Reply-To: <20091118002059.067214ed at hikari>
 Fcc: ${MAIL_DIR}/sent
 References: <20091118002059.067214ed at hikari>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Adrian Perez de Castro <aperez at igalia.com> writes:
 
@@ -447,7 +437,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (notmuch-show "id:cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a at mail.gmail.com")
 		(notmuch-show-reply)
 		(test-output))'
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: Alex Botero-Lowry <alex.boterolowry at gmail.com>, notmuch at notmuchmail.org
@@ -455,7 +444,6 @@ Subject: Re: [notmuch] preliminary FreeBSD support
 In-Reply-To: <cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a at mail.gmail.com>
 Fcc: ${MAIL_DIR}/sent
 References: <cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a at mail.gmail.com>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Alex Botero-Lowry <alex.boterolowry at gmail.com> writes:
 
@@ -521,7 +509,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-show \"id:${gen_msg_id}\")
 	    (notmuch-show-reply)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: 
@@ -529,7 +516,6 @@ Subject: Re: Reply within emacs to an html-only message
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite at notmuchmail.org> writes:
 
@@ -546,7 +532,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	      (notmuch-show \"id:$message_id\")
 	      (notmuch-show-reply)
 	      (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite at notmuchmail.org>
 To: 
@@ -554,7 +539,6 @@ Subject: Re: Quote MML tags in reply
 In-Reply-To: <test-emacs-mml-quoting at message.id>
 Fcc: ${MAIL_DIR}/sent
 References: <test-emacs-mml-quoting at message.id>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite at notmuchmail.org> writes:
 
-- 
2.8.1

More information about the notmuch mailing list