Closed Bug 1314417 Opened 8 years ago Closed 8 years ago

Client is auto rendering base64 image URLs (?)

Categories

(Thunderbird :: Message Reader UI, defect)

Product:
Thunderbird
Component:
Message Reader UI
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 322533

People

(Reporter: henickdotnet, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14

Steps to reproduce:

...Opened spammy HTML message that bypassed the history filter, because it is impossible (or poorly documented) to select single messages without opening them.

I did not hold back any of the offending messages that were in my inbox this morning, because I was in a hurry and didn't think of it. Once notified of a ticket, I'll be happy to check the message source and provide more details, forward the message with headers, or whatever else may help to get to the bottom of the issue... but at the moment I'm at Starbucks and not at all willing to get near that inbox until I'm back home and don't have to worry about fifty strangers believing me a brazen pervert.


Actual results:

An ad for purported Cialis, built around an unlicensed porn still photo full of girly bits in full and flagrant display, was displayed in the body of the message - but the usual "blocking external content" bar and Allow button were absent. The message just up and rendered.


Expected results:

When the message was selected, the expected behavior was that he usual "blocking external content" bar and Allow button would appear, while the offending image itself would remain hidden or signified by a broken-image icon.
tl;dr: nasty spammers are taking advantage of the client's RFC 2111 compliance, but the client doesn't distinguish RFC 2111 image parts from other message content... which really ought to fire a trigger for the user to opt-in image display like it does for images requested over port 80.

Here's the message source with the headers, blocks, and things intact, but with the base64 image source replaced to meet requirements of brevity:

Return-Path: <a776@tisoneills.com>
X-Original-To: ben@henick.net
Delivered-To: ben@henick.net
X-No-Auth: unauthenticated sender
X-No-Relay: not in my network
Received: from 42-73-250-206.EMOME-IP.hinet.net (42-73-250-206.EMOME-IP.hinet.net [42.73.250.206])
	by henick.net (Postfix) with ESMTPS id EA9041E3499A
	for <ben@henick.net>; Tue,  1 Nov 2016 14:33:06 -0500 (CDT)
Received: from [96.279.084.168] (helo=[192.168.160.134])
	by tisoneills.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128)
	(Exim 4.99_1)
	(envelope-from <a776@tisoneills.com>)
	id 08PPCU-DGLL1M-GH
	for <ben@henick.net>; Wed, 2 Nov 2016 03:20:15 +0800
Subject: Hello
To: <ben@henick.net>
From: "Mathias Lutz" <a776@tisoneills.com>
Message-ID: <ec02c86c-cd83-c41a-1f19-9e707a4ed409@1-trust.net>
Date: Wed, 2 Nov 2016 03:20:15 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------1A0D56C0588E725AD3CC7A6F"

This is a multi-part message in MIME format.
--------------1A0D56C0588E725AD3CC7A6F
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello friend. How are you?


<http://ortoxela.com.gt/ok/q6ile.php>

With less than half her attention engaged, she could not for long dismiss her fear of imprisonment ahead. First the federal military command brought the entire USA under control, as General McDonough had done in Canada. My staff and I have our hands full as is, without adding unfounded suspicions that the Council itself is lying to the people. For instance, that every civilization technologically advanced beyond us must be peaceful, else they couldn't have lasted. . At its distance, how could your robot possibly tell whether that was Emissary passing through? Hancock frowned again. The Governor General of Demeter blinked at him across her desk.  Proceed upon signal. Daniel Brodersen was born in what was still called the state of Washington and had, indeed, not broken from the USA during the civil wars, as several regions attempted and the Holy Western Republic succeeded in doing.  After Bob's death, a special election overwhelmingly gave his office to John. May I ask today for a bit more of your trust? Sure, he said, if you tell me the reasons. Brodersen curbed his temper. But tell us, Joelle. He grinned to show he meant no harm.  He could well be right, likewise, about this whole idea of a plot against us being a sick fantasy.  Suppose the Emissary expedition learned it's a false idea.
______________
Best Regards,
Mathias Lutz


--------------1A0D56C0588E725AD3CC7A6F
Content-Type: multipart/related;
 boundary="------------C7A8917B8AA7A5D05FCAE689"


--------------C7A8917B8AA7A5D05FCAE689
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hello friend. How are you?<br>
    </p>
    <p><a href="http://ortoxela.com.gt/ok/q6ile.php"><img
          src="cid:part1.2F88FBF9.1587CFB6@tisserlaw.com" alt=""
          height="400" border="0" width="581"><br>
      </a></p>
    <p>With less than half her attention engaged, she could not for long dismiss her fear of imprisonment ahead. First the federal military command brought the entire USA under control, as General McDonough had done in Canada. My staff and I have our hands full as is, without adding unfounded suspicions that the Council itself is lying to the people. For instance, that every civilization technologically advanced beyond us must be peaceful, else they couldn't have lasted. . At its distance, how could your robot possibly tell whether that was Emissary passing through? Hancock frowned again. The Governor General of Demeter blinked at him across her desk.  Proceed upon signal. Daniel Brodersen was born in what was still called the state of Washington and had, indeed, not broken from the USA during the civil wars, as several regions attempted and the Holy Western Republic succeeded in doing.  After Bob's death, a special election overwhelmingly gave his office to John. May I ask today for a bit more of your trust? Sure, he said, if you tell me the reasons. Brodersen curbed his temper. But tell us, Joelle. He grinned to show he meant no harm.  He could well be right, likewise, about this whole idea of a plot against us being a sick fantasy.  Suppose the Emissary expedition learned it's a false idea.<br>
      ______________<br>
      Best Regards,<br>
      Mathias Lutz<br>
      <br>
    </p>
  </body>
</html>

--------------C7A8917B8AA7A5D05FCAE689
Content-Type: image/jpeg;
 name="d.jpg"
Content-Transfer-Encoding: base64
Content-ID: <part1.2F88FBF9.1587CFB6@tisserlaw.com>
Content-Disposition: inline;
 filename="d.jpg"

/9j/4AAQSkZJRgABAQEASABIAAD/2wBDABALDA4MChAODQ4SERATGCkbGBYWGDIkJh4pOzQ+PTo0OThBSV5QQUVZRjg5Um9TWWFkaWppP09ze3Jmel5naWX/wAALCACQAGwBAREA/8QAGgAAAQUBAAAAAAAAAAAAAAAABAABAgMFBv/EAD0QAAIBAwMABgYIBQMFAAAAAAECAwAEEQUSIRMxQVFhcQYiMlKBkRQVIzNCkqHhQ1OiscEWYtEmNILw8f/aAAgBAQAAPwDgKWafNKlSpxSpZyeqlSIpDxpqQJA4pqVKlSpZp8ilx30/ZSpqemNLNX26LPNsI257e6jH0hjzG2R4ih3064X8GfKh2hkT2lI+FQIPaKbiljxpYpU+40+4Y5Wnwp7cUihPVg+VRIPdRFmMyg11VuuIE8qsCK3WBTNaxOMFeuh5NJgk/CuflQcugKfYJHkc0FLoky8q2fMYoV9OuUJ+zJ8qHMbr1qflTY7xSwPKkUPZzTBSakHxxtB86vsh9qK6+FcW8flWbbzzHX5IC56PHs/AVsupSNmxnAzihdPu1vbVpynRqjEHJ44qsavYGTZ03bjO04o9VDoGUhlPII6jUGhU9ag1U9pG4wVoaTSbd+No+VCS6JH+Hj9aEl0Vx7JGO2hrizMchAOxT7IJ7BVXQsPdNKxH2o+P9q7JExbx+VY9ov8A1VIPD/ArqHg3QNj3TXJ24kX0Uu2TOOn2sR3YFdLo+h2z6LbkwI4ljDMSMkkism1ha1u9T0nJKJGzx57OOr9aJ9GUafR8nJKuRmhLS/eOyvJrkmToJNoGMeQqtL3UVgF1NZqbcjPq+0B30RcajbwwRTMWaOX2SozTW99bXTbYpMt7pGDWdrkRLIQcdfZWYCyjkAnvzS08fbDPj/au3VfsYvKhJvR6C7uWn6WWORu1T1Udp2gX8E6N9aSSw9sbg8j50bonou9tpN7YX7Rulw2QYznHHiOvigg+s6JYS6Y1nNcJgiC4g5Kj5UJ6MWlxNrlxJqqTLcyweqHQjcOAT+g+dEeistrpsN3p+oyLbzxyk4kO0EYHUax4LN77Ttdkt1LxrMJIyB7QySf0resugutGhkUgp0eHz2EDkGuN3MNIRwCyx3WEz5ZxRM0r3OpWgNqbWRWyS3G4d3jV+vLiFW8axN3HUalpnMw+Ndyn3UflVkt9bWEYkupAinqHWTRmlekml3UywrPskY4AcYyfOuge4hhZEllRGkOEDMAW8u+raWBnOBmhrvTrO9x9KtopSOosoJHxqdvZ29rD0VvCkUfuoMCud1D0QspZJJIZZ7dZPbjjbCn4Vm6l6PxNpsdnbt0SxsGDEZyfH50NrFjLcxxGHaJInDAtQ2soGtORnHNc20ZzwcVZpQ+1+BruE+6j8qw7hVvPS23t7gbolHCnqPBNb2tSaIYhZX7iCTaGR0jJKjwwPCqtWnjkk9G5Ibg3EYlwJWBBbDKOc1s+mbumhl42KkSLyDisfVtVu9O9IbWaJpXgFuryRAkgjkE4762brU5Rr+lpBMDaXSMSABhuMjn5UJFqes6nqd4mnvbRR2khTZLkl+SOe3srU0q/k1C0Y3EDQTxsUkQ9WR2jwoTU5EtoZJpDhEBJrBtdShv9wjV0cDOxxgkd/lQ+rAfQZCewZrmkKuoOGp9JH2h8q7NW+xTyFZ+qWE000V7ZEC5i7D+IVbJcarq1q9r9ViNyuGlbnjtxx/zRJ0i6X0f0yTo26aydmMZHOC2c4+AorWdetdTsls4IpnndhlNvIxUpol/1dYW8yhg1ptYHkHhuKypY7jS/STTrCTLQwz5gc9ZRyOPgc1qXFpp2q6pdGKebTdRhbDMG27/92O0eWKJ9GNSubpr2zupVna0cKJl/GOf+Kr9J7mO20ydpE6QMNm3PXniuQspJdNvVW+V2uGRYolHVtP8AxWzfR9JbSL3qRWNbWTywh1ZlU9W1Qf7ms7SfvD5f5rrVP2K1bG+KPhu3VQA2B4VW/pJBb3y2b7y7EDcOoZ760b3WrfTrZZ7gEqW2+qMmibTUbS8tFvY2HR4J3MMEY66FTV9Fvla5MkUotcMXeM5TJ4IyPClPZ6N6QILgrHPtO3pEYg+RxT6aml2du8OmNEVzltj7jnxNZ+qfRr6KS0ldTv61DcisBtCIcSNezvIhHRsxzto6XJjKsckjnFc5d3cyyCOPcgjXb6r9eO2htK9o+X+a6dWzEvlU0arumCKWPYM1gJbPeW93cPgSM4ZRnkY/+/pWtqMb3+iw7uvcM+fNQjL6Zo1/aHJ7Fz3NxWdYJ9HtNUgJ5MCk+eM1boGovp9newbiAYemQnvxg/rj5UJpM0+nRXrLkM0AKnuzjH96Mg0WCXTUmZn+lOu/pdx4J5FFaRevd2CtIcyISjHvIolueO+ufmRGnkwE9o53GgtL9o/+9tdNH/24PjirYUDMATRd0kC2pRWVnbjg1CFNPSFQ0TF8ckGqDcyLavCkG71gV5FCat9KvbmLbGOibAkIIGKoaCf6ZqDCM7JYtqHPWcUDcWFy1naMsbdIoKOvhnIrobKK0Xpo7mNiDFtUjv4rMa/lsUa3NtK5GRGVGQano9u9tZYlGHdi5HdRuea52/sbg3sjRPhWOcVRpYPPwroIpl6LYTg5zipiRT+IU4ce8KkHX3h86kHX3h86XSL7wpdIvvCl0i+8PnTiRT+MCmLKe0UxYd4ps+NUzyRLJ66ISeeTiuZs7o2ufULZx24on64YfwT+an+uW7ID+apfXLgfcn81P9dv/J/q/an+uZP5P9X7VMaxIf4WP/L9qY6w4/g/1ftTrq7/AMkfm/apDVpCM9CPzftUhqshODCPzftU/rF8DMK8/wC79quSZ25McYHdv5P6VbO0e8HakmR11zY2NwaZk9bz7qZV25Az8KntwKUQDk57D2ipjCZbGceFTRstwR1VHcW9YjB8qdSTx2HtxVq7tuN3VSDtg7SMhgflREdwykbCCfKrre5mWQMAcY68ZotZ25LPJkkniPPbXMEKXyDS3c+1Uh35p88Yz11IcdtPuHJBFOjjjkU5udh7/IVcqsYwwI5GeqmVsA+vikGB62Iz4VYkmzPJGOc4oqKZcYEjbOwgUSDHj76ceS/tXNENu4UUgjduBUwrdWRT7O9qiRj8ZpjIvfTdKoHV86qdmkY7V6u2kt1MoxuOKiJ5PeqX0mX3qZ53kADkkDqpklZGDJwR1USNQuf5hr//2Q==
--------------C7A8917B8AA7A5D05FCAE689--

--------------1A0D56C0588E725AD3CC7A6F--
Component: Untriaged → Message Reader UI
So your complaint is that embedded and attached images actually show when the message HTML is rendered. That's desired behaviour. You could equally transmit porn as ASCII art ;-)

You can view your messages as plain text (View > Message Body As > Plain Text).

Richard, do you know of a preference to switch off all image display?

Magnus, this is a WONTFIX, right?
Flags: needinfo?(richard.marti)
Flags: needinfo?(mkmelin+mozilla)
I'm not aware of a pref to disable non-remote images. The only solution I see is to use View > Message Body As > Plain Text.
Flags: needinfo?(richard.marti)
It seems we've wandered from questions of bugginess (which doesn't exist here) to discussions of usability/HCI/propriety.

To reframe the issue: anyone can dump porn-bedazzled messages (or goodness knows what else) into an inbox.  THERE IS NO WAY TO PREVENT THIS BEHAVIOR short of a perfectly-tuned spam filter, emphasis on "perfectly".

There is no preference setting to shut down this behavior universally, which is why I expressly marked this as a "Message Reader UI" issue once I learned that the client behavior itself is compliant.

Even so, don't you think the user should have the last word on the matter of rendering binary content in the message reader?
> There is no preference setting to shut down this behavior universally, which
> is why I expressly marked this as a "Message Reader UI" issue once I learned
> that the client behavior itself is compliant.

...Turns out I'm only right about this on a technicality.  It's not a Preference bit, but the View menu option is universal.  Fair enough.

Unbury it or move/duplicate it in the Preference panes, then?  I think my own reaction demonstrates that nobody's going to look for this unless and until they NEED it, unless it's turned on by default (which would cause fury, I'm sure).
I think we could have a pref for this, if someone provided a patch (likely tricky to do though).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → DUPLICATE
(In reply to Magnus Melin from comment #6)

> *** This bug has been marked as a duplicate of bug 322533 ***

Oh, excellent.  Should I be ashamed that I didn't find the earlier bug?
Heh, no worries. I'll tell you this: very few feature requests don't already have an entry in bugzilla, unless it's related to very new technology.
You need to log in before you can comment on or make changes to this bug.