[PATCH v2 16/17] test: reply (in cli and emacs) should protect indexed sensitive headers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun May 26 15:16:09 PDT 2019
These tests are currently broken! When a protected subject is indexed
in the clear, it leaks in the reply headers :(
For emacs, we set up separate tests for when the protected header is
indexed in the clear and when it is unindexed. neither case should
leak, but the former wasn't tested yet.
We will fix the two broken tests in a subsequent patch.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
test/T356-protected-headers.sh | 7 +++++
test/T358-emacs-protected-headers.sh | 45 ++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index cbed3781..746c4760 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -99,6 +99,13 @@ output=$(notmuch search --format=json 'id:protected-header at crypto.notmuchmail.or
test_json_nodes <<<"$output" \
'subject:[0]["subject"]="This is a protected header"'
+test_begin_subtest "indexed protected subject is not visible in reply header"
+test_subtest_known_broken
+output=$(notmuch reply --format=json 'id:protected-header at crypto.notmuchmail.org')
+test_json_nodes <<<"$output" \
+ 'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
+ 'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
+
test_begin_subtest "verify correct protected header when submessage exists"
output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment at crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
diff --git a/test/T358-emacs-protected-headers.sh b/test/T358-emacs-protected-headers.sh
index a631223e..765511d4 100755
--- a/test/T358-emacs-protected-headers.sh
+++ b/test/T358-emacs-protected-headers.sh
@@ -51,6 +51,29 @@ This is the sekrit message
EOF
test_expect_equal_file EXPECTED OUTPUT
+# notmuch-emacs still leaks the subject line; as long as it leaks the
+# subject line, it should emit the external subject, not the protected
+# subject, even if it knows what the true subject is:
+test_begin_subtest "Reply within emacs to a message with protected headers, not leaking subject"
+test_emacs "(let ((message-hidden-headers '()))
+ (notmuch-show \"id:protected-header at crypto.notmuchmail.org\")
+ (notmuch-show-reply)
+ (test-output))"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite at notmuchmail.org>
+To: test_suite at notmuchmail.org
+Subject: Re: Subject Unavailable
+In-Reply-To: <protected-header at crypto.notmuchmail.org>
+Fcc: ${MAIL_DIR}/sent
+References: <protected-header at crypto.notmuchmail.org>
+--text follows this line--
+<#secure method=pgpmime mode=signencrypt>
+test_suite at notmuchmail.org writes:
+
+> This is the sekrit message
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
# protected headers should behave differently after re-indexing
test_begin_subtest 'defaulting to indexing cleartext'
test_expect_success 'notmuch config set index.decrypt true'
@@ -67,4 +90,26 @@ End of search results.
EOF
test_expect_equal_file EXPECTED OUTPUT
+# notmuch-emacs still leaks the subject line:
+test_begin_subtest "don't leak protected subject during reply, even if indexed"
+test_subtest_known_broken
+test_emacs "(let ((message-hidden-headers '()))
+ (notmuch-show \"id:protected-header at crypto.notmuchmail.org\")
+ (notmuch-show-reply)
+ (test-output))"
+cat <<EOF >EXPECTED
+From: Notmuch Test Suite <test_suite at notmuchmail.org>
+To: test_suite at notmuchmail.org
+Subject: Re: Subject Unavailable
+In-Reply-To: <protected-header at crypto.notmuchmail.org>
+Fcc: ${MAIL_DIR}/sent
+References: <protected-header at crypto.notmuchmail.org>
+--text follows this line--
+<#secure method=pgpmime mode=signencrypt>
+test_suite at notmuchmail.org writes:
+
+> This is the sekrit message
+EOF
+test_expect_equal_file EXPECTED OUTPUT
+
test_done
--
2.20.1
More information about the notmuch
mailing list