Using Edit As New Message on attachment sets From/Reply-to to addresses of different account.

RESOLVED DUPLICATE of bug 1254666

Status

Thunderbird
Message Compose Window
--
major
RESOLVED DUPLICATE of bug 1254666
2 years ago
2 years ago

People

(Reporter: Zhora VandenBout, Unassigned)

Tracking

38 Branch
x86_64
Mac OS X

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

Steps to reproduce:

In account xxx.yyy (not the default account) I opened an email that was received that had an attachment.

I opened the attachment while still in the xxx.yyy account using Message->Attachments->1 ForwardedMessage.eml->Open. 

Still in xxx.yyy, I used Message->Edit As New Message on the attachment so I could alter it and email it to another person.


Actual results:

The From: and Reply-to: header fields in the composition window of the new message were set to email addresses of the default account and not the account that I was currently using.


Expected results:

The From: and Reply-to: header fields should have been set to the addresses of the account I was currently using (as happens when opening a New Message in a particular account). Instead they were set to the default account's From: and Reply-to addresses.
(Reporter)

Updated

2 years ago
Severity: normal → major
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64

Comment 1

2 years ago
Important bug that needs to be fixed. You can send emails as if you were another person (email).
I can not reproduce this bug using Thunderbird 45.
However the from and reply-to in the composing window on thunderbird 45 are using the original message "from" headers.
Please check the behavior on Thunderbird 45
Flags: needinfo?(zhora)

Comment 3

2 years ago
This bug is still in version 45.

The description above talks about Attachments, but the same is true for any message.

- Right click a message in your own inbox
- Option "Edit As New Message"

The resulting window for you to edit defaults to the ORIGINAL SENDER!!!!!!!!!!!
If you hit send, your from address is presented essentially to all the users of that message as the original sender, when in fact YOU sent it.

The situation is a change from pre v38, where the option CORRECTLY set the from string to be the person who is editing the message.

This is a SIGNIFICANT regression. It is a SECURITY issue where now you have SMTP authenticated against one user, but it is sent as someone else. For the majority of my 75,000 users, this is a regression they are fooled by. I also have an internal security team that would like me to stop distributing Thunderbird as a result of this issue until it is fixed.

Comment 4

2 years ago
Is this similar to one of the bugs we know?
Flags: needinfo?(acelists)

Comment 5

2 years ago
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #4)
> Is this similar to one of the bugs we know?

Not sure yet, but I think we did fixes in the identity choosing.
Flags: needinfo?(acelists) → needinfo?(jorgk)

Comment 6

2 years ago
(In reply to Paul Donnelly from comment #3)
> This bug is still in version 45.
> 
> The description above talks about Attachments, but the same is true for any
> message.
> 
> - Right click a message in your own inbox
> - Option "Edit As New Message"
> 
> The resulting window for you to edit defaults to the ORIGINAL
> SENDER!!!!!!!!!!!

This is a different bug 1254666 and is already fixed.

Comment 7

2 years ago
Yes - Edit as new in the EarlyBird version is back to how it should be for Edit As new, looks to be sorted and in line for the bug mentioned in comment 6. What standard version will this fix be live? TB 49?

Comment 8

2 years ago
Tb 49 up to 51 will only be released as beta. TB52 will be the stable release. But it was approved for 45.x branch too, so if it isn't already in 45.3, then it must be in 45.4 soon.

Comment 9

2 years ago
Bug 1254666 was uplifted to TB 45.3, see bug 1254666 comment #81. 48+ = 45.3 in this case.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(zhora)
Flags: needinfo?(jorgk)
Resolution: --- → DUPLICATE
Duplicate of bug: 1254666

Comment 10

2 years ago
Jorg, have you checked the attachment case (comment 3) was also fixed by bug 1254666? Comment 3 is not representative of the bug here.

Comment 11

2 years ago
The sender is only overwritten with From of the original message for drafts:
https://hg.mozilla.org/releases/comm-esr45/rev/51893f9780c5aa8a152ca1bfecaa46d31bf317e1#l1.16

Opening an attached message and editing it as new does *not* constitute a draft edit. Therefore this bug here is fixed by the other one. I even tried it, one of my identities is used as the sender. Happy?
You need to log in before you can comment on or make changes to this bug.