Closed Bug 1334946 Opened 7 years ago Closed 7 years ago

'ALLOW REMOTE CONTENT' toggle is broken!

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
45 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1074134

People

(Reporter: champagne7, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20100101

Steps to reproduce:

Blocking of remote content in messages only works intermittently, depending on the source.  This creates a false sense of security and confuses the user.

Please refer to the following report
https://bugzilla.mozilla.org/show_bug.cgi?id=1074134


Actual results:

This bug is a duplicate of 1074134.  It is being reported again for the following reasons:

1.  The bug has remained unconfirmed for well over 2 years.  A confirmation method was provided in 2016, but no one with classification authority has subscribed to the bug.  By filing a duplicate of 1074134, I hope to prompt a review and get this issue confirmed.

2.  Since this critical flaw has been ignored for so long, a simplified and memorable title is obviously needed to obtain more exposure

3.  The bug was wrongly tagged as "security low" when it is potentially a very serious security issue for journalists and whistleblowers in oppressive mass-surveillance regimes who need location privacy for a specific email account.

4.  The bug is now being actively exploited by spammers.



Expected results:

Please refer to the following report
https://bugzilla.mozilla.org/show_bug.cgi?id=1074134
OS: Unspecified → Mac OS X
What's the point of reporting a duplicate? You should promote a solution in the other bug. Apparently no one could reproduce the problem there.

As you know, TB is open source run by a small community of volunteers. If you're not happy with the progress, I'm afraid, you'd have to fix the problem yourself or hire someone to do it.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
> What's the point of reporting a duplicate?

The purpose was clearly stated above, in the original post.  Did you read it?


> You should promote a solution in the other bug.

That is precisely what I have been doing for the past month, and it has been completely ignored.  What part of this did you not understand?  I clearly stated that the bug is over 2 years old.  I clearly stated that a new confirmation method was provided last year and no one responded.  I uploaded 2 new files, along with a description of the method.  I also wrote several replies to different people hoping that someone would be alerted.  All of those efforts failed -- hence the reason for this new report.  Please take the time to read these posts and become familiar with the issues before making nasty remarks and false accusations!


> Apparently no one could reproduce the problem there.

No one has even ATTEMPTED to reproduce the problem using the method which I provided because they are unaware of the new activity in that thread.  Other than filing a duplicate bug report, what else could I have done to bring this to the attention of the responsible parties?!


> As you know, TB is open source run by a small community of volunteers.

And I am one of those volunteers.  I am the first person to provide a working confirmation method since the bug was reported in 2014.  I guess the old saying is true: "no good deed goes unpunished."


> If you're not happy with the progress, I'm afraid, you'd have to fix the problem yourself

If you can't be bothered to actually read the content which is posted by troubleshooters & beta testers, and you only want to be rude, perhaps you should consider resigning from this job.  I don't believe that Mozilla needs or wants to be represented the way they are here.
(In reply to ga48 from comment #2)
> The purpose was clearly stated above, in the original post.  Did you read it?
Yes, but we don't tolerate duplicates.

> > You should promote a solution in the other bug.
> That is precisely what I have been doing for the past month, ...
You need to get the attention of a TB core developer. None of them was subscribed on bug 1074134. I have subscribed now, and I can take a look at the bug in due course since I happen to be familiar with the blocking function.
 
> > As you know, TB is open source run by a small community of volunteers.
> And I am one of those volunteers.
According to your BMO profile, you joined BMO and filed exactly one bug, this duplicate here. Whilst we appreciate all contributions, big or small, you are no a member of the "small community of volunteers" which run Thunderbird since Mozilla withdrew paid staff in 2012.

> perhaps you should consider resigning from this job.
Before suggesting the resignation of a TB key developer, member of the Thunderbird Council, Thunderbird and Mailnews peer, you should perhaps have done some background checks on who you're talking to ;-)

I'll see you in the other bug when I find the time.
> According to your BMO profile, you joined BMO and filed exactly one bug

I lost access to the other account and was working on a clients machine for many hours to devise a method to reproduce this bug.  The client could easily switch to Mac mail, but that is not the point.  My efforts were on behalf of the entire community, because millions of users are potentially affected by this issue.  It might affect other platforms too.  If you are really that busy, how is it productive to analyze my Bugzilla account and debate the value of my contributions to Thunderbird security?


> I'll see you in the other bug when I find the time.

Since only a subset of spammers are exploiting the bug, the spam server must remain operational in order to reproduce the issue.  This is why I have been trying to alert someone for the past 30 days that a reliable method is now available to confirm the issue.  I understand there are not enough developers to fix all bugs in a timely manner.  However, this bug is both potentially serious and difficult to reproduce.  For this reason, I believe it should be a higher priority.


> Yes, but we don't tolerate duplicates.
> You need to get the attention of a TB core developer.

Then I must restate the previous question which was not answered, for it is an important matter of policy & procedure:

Considering the time-sensitive nature of the method I provided, other than filing a duplicate bug report, what else could I have done to bring this matter to the attention of a core developer?


> Before suggesting the resignation of a TB key developer, member of the Thunderbird Council, Thunderbird and Mailnews peer

You basically told me to “go away” by claiming that my reports were inappropriate.  I believe this was an improper response.  If there is a better method of handling the issue, you did not indicate what that method is.  I sincerely appreciate your contributions to this project, but in this particular situation, I still think this report was justified if no other contact method is readily available.  Thanks for your cooperation.
Blocks: TB52found
(In reply to ga48 from comment #4)
> If you are really that busy, how is it productive to analyze my Bugzilla account
The "analysis" was one one click away. Also, you suggested my resignation, so I needed to see who made this outrageous suggestion.

> Considering the time-sensitive nature of the method I provided, other than
> filing a duplicate bug report, what else could I have done to bring this
> matter to the attention of a core developer?
Well, by filing a duplicate, you did manage to get my attention since I regularly review all new bugs. You must also accept that the duplicate was closed. As for your question. There is no easy answer. People working regularly on TB of course know the developers in charge. Maybe the best way to attract attention would have been to NI (need-info) a module owner or peer:
https://wiki.mozilla.org/Modules/Thunderbird
https://wiki.mozilla.org/Modules/MailNews_Core

My analysis in bug 1074134 comment #18 shows that your test case provided in that other bug was invalid. So I really don't understand what you wrote here:
> ... that a reliable method is now available to confirm the issue ...
> However, this bug is both potentially serious and difficult to reproduce.
> For this reason, I believe it should be a higher priority.
According to my analysis, you manually unblocked remote content in the message in question and that unblocking was stored in the mailbox.

There is an issue when white-listing your own address, so the discussion continues in bug 1074134. Two other core-developers (mkmelin, aceman) got interested and subscribed to that bug.
Wayne, why should this block bug 1313774? Besides, the issue is as old as blocking remote content in TB 31(?).
No longer blocks: TB52found
You need to log in before you can comment on or make changes to this bug.