Closed Bug 119266 Opened 23 years ago Closed 21 years ago

Option to disable all active content in mail

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 30888

People

(Reporter: security-bugs, Assigned: security-bugs)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 2 obsolete files)

New patch, part 1
2.28 KB, patch
Details | Diff | Splinter Review
New patch, part 2
3.25 KB, patch
Details | Diff | Splinter Review 
There's probably another bug on this somewhere, but for sake of clarity I'm
putting this in a new bug. The patch to follow was written by Georgi Guninski.
Review and feedback would be appreciated.
Attached patch Patch part 1 (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch part 2 (obsolete)
        — Splinter Review
      

    


  

    
    

    
  
Am I correct in my understanding that this bug is for being able to disable 
email attachments?

If so, is this bug 55657's backend? I'm sure I can help out to implement the 
front-end if you want (i.e. fix that bug), if you make this stuff depend on 
some pref.

    
    

    
  
BTW, if you can make depend on a pref, use |mail.inline_attachments| (which is 
already used in NS4.x IIRC).

    
    

    
  
The idea of this patch is to disable automatically previewing of HTML email
unless the user explicitly wish to do so.
HTML mail may contain active content - scripts, <iframe>s, etc.
If an exploit pops up users may be exploited by email or forced to visit a web page.
NIMDA made quite the noise on outlook.
Besides HTML mail has privacy implications - web bugs, tracking the opening or
not opening of a message thru content on third party servers, probably more.
Some people really do not want to receive text/html mail only.



    
    

    
  
*** Bug 119673 has been marked as a duplicate of this bug. ***

    
    

    
  
Related bugs:
Bug 30888 is about showing only plaintext.
Bug 18427 is about santiyzing HTML to only stuctural markup.
Bug 28327 is about querying external servers.
Bug 22994 is about cookies.
The pref would be a nice addition to bug 31907.

    
    

    
  
Thanks for the related bug references, but please do not dupe this bug. Let's
keep this bug focused on Georgi's patch and not get lost discussing related
feature requests.
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 64355 [details] [diff] [review]
Patch part 1

This patch doesn't compile on window because of snprintf which is not defined.
Instead use PR_snprintf but you must first include "prprf.h". Please replace
strcpy by PR_strcpy.

I don't think printing a link to the part inside the message body is the right
thing to do. Rather, you should  show those part as attachment in the chrome
(like we do with any other attachment). Or at list you should draw a nice
attachment box like we did in 4.x

        Attachment #64355 -
        Flags: needs-work+

    
    

    
  
Comment on attachment 64356 [details] [diff] [review]
Patch part 2

first couple syntax comment:
- preff should be pref
- some indentsation inconsistence

I tried the patch and it doesn't work well all the time:
I have a multipart/related message, the first part is text/html and the second
one is image/gif. When I click on the link to the part (the first one), this
one is shown empty!

ALso, we should cache the pref of at least the pref service to avoid getting it
all the time but this is a generic problem of mime!

        Attachment #64356 -
        Flags: needs-work+

    
    

    
  


  

        Attachment #64355 -
        Attachment is obsolete: true

        Attachment #64356 -
        Attachment is obsolete: true

    
    

    
  
With bug 30888 having a patch, does this still make sense? Bug 30888 scatches
the same itch and gives IMO a nicer UI (no additional clicks needed). If there
is no plaintext part, bug 30888 allows to still read the mail safely, while this
bug requires the curious user to view the mail as (interpreted) HTML.

    
  
Blocks: 31907

    
    

    
  
> while this bug requires the curious user to view the mail as (interpreted) HTML.

Or not at all, if I saw that correctly?

    
    

    
  
Should this be more generically tied in? See nsIWebBrowserSetup and
http://bugzilla.mozilla.org/show_bug.cgi?id=125168

    
    

    
  
Part 1 is interesting (and does not overlap with bug 30888 / bug 108153). Here,
Georgi Guninski lets, after a content type handler has been chosen, through only
the content type handlers that he explicitly likes. This guards against e.g.
loopholes in our vcard handler (see bug 126008).

However, it also completely breaks the libmime extension mechanism, which is 
designed to allow e.g. a third-party PGP plugin to register itself and handle
certain content types. If the user has a PGP plugin installed, we should assume
that he wants to use it (even users of these paranoid prefs). But vcard is also
an external handler.

I see no good solution other than
- not installing insecure external handlers.
  This breaks the runtime-configurability.
- hardcoding "nice" and "unsafe" external handlers
  This appraoch is also kind of broken, because the point of external handlers
  is that we don't know (most of) them yet.

Any ideas?

    
    

    
  
I filed bug 126082 for my own patches about this problem, because mstoltz asked
to "keep this bug focused on Georgi's patch".

    
    

    
  
Ben,

I am not a mail guru and don't know mime internals.
The idea of the patch was to allow only known good content and reject everything
else.
Could please give me a pointer to "external handlers", I am not familiar with them.
I am little confused that *both* vcard and pgp plugin are external handlers.
I definitely don't want vcards displayed inline and the vcard code is in the
mozilla tree so I don't see any external.
On the other hand if I chose to put a shared library which interferes with
Mozilla so it's entire my choice to trust it, so a possible solution would be to
give access to shared libraries installed explicitly by the user to display
inline content?

    
    

    
  
Georgi, I understand your general idea, and it made me "find" bug 126008.

> Could please give me a pointer to "external handlers", I am not familiar with
> them.

<http://www.mozilla.org/mailnews/libmime-content-type-handlers.html>

<quote
src="http://lxr.mozilla.org/seamonkey/source/mailnews/mime/src/mimei.cpp#305">
305 if ((tempClass = mime_locate_external_content_handler(content_type,
&ctHandlerInfo)) != NULL)
306 {
307   clazz = (MimeObjectClass *)tempClass;
308 }
309 else
310 {
</quote>

The vcard handler code lives in mailnews/mime/cthandlers/vcard/mimevcrd.*.

We may also want to avoid the calendar plugin in mailnews/mime/cthandlers/.

> I definitely don't want vcards displayed inline and the vcard code is in the
> mozilla tree so I don't see any external.

The "external" is a term by me. It's a "Content Type Handler Plugin", the same
way a PGP handler might be a plugin. I.e. it is not hardcoded into mimei.cpp and
not part of libmime.so, but lives in its own lib (libvcard.so). So, it only
happens to be built and installed by default with Mozilla, but is otherwise no
different than a possible PGP plugin by NAI, which is installed with PGP, not
with Mozilla.

> On the other hand if I chose to put a shared library which interferes with
> Mozilla so it's entire my choice to trust it
> so a possible solution would be to give access to shared libraries installed
> explicitly by the user to display inline content?

Yes, I think so, too, see bug 126082.
(OTOH, it's also "your choice to trust" Mozilla's handlers :-) .)

    
    

    
  
Bug 30888 and bug 126082 are fixed on the trunk, see
<http://www.beonex.com/temp/index.html> /
<http://www.bucksch.com/1/projects/mozilla/108153> for docs.

Is there anything left to be done in this bug (I don't quite understand part 2
attached here)?

(If you have any other comments, feel free to mail me about that, too.)

    
    

    
  
Ben, what's the status of this? Is it going to make Moz1.0?

    
    

    
  
I don't know, see my last comment in bug 30888.

    
    

    
  
Since Ben's patch in 30888 has gone in, can this bug be closed? Or is there
additional functionality here that someone whats?

    
    

    
  

*** This bug has been marked as a duplicate of 30888 ***
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE

    
    

    
  
V
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: