Closed Bug 1630278 Opened 1 year ago Closed 1 year ago

Silently ignore signature when streaming OpenPGP for quoting and no from email address is available

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 77.0

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(1 file)

In the scenario I'll describe below, the "from" email address isn't available in the MIME decrypt code.

However, in that scenario we don't need it, so it seems OK to silently skip the attempt to process the signature, and claim there's no signature present.

(An encrypted email can be signed, too. One part of verifying the signature is comparing the user ID contained in the signer key with the email sender email address. If there's a mismatch, the signature cannot be accepted. If we don't have the sender address, we cannot perform this check.)

Scenario:

  • click encrypted+signed email in INBOX
  • click a different folder
  • click on the INBOX folder
    (the email you clicked previously will be shown again)
  • click reply

Now, when quoting the message contents, which requires to run through mimeDecrypt, we don't have the email address available.

(It cannot be found using EnigmailDecryption.getFromAddr(win) or EnigmailDecryption.getFromAddr(Services.wm.getMostRecentWindow(null)))

In addition I have a small ride-along fix, which makes copying a single public to clipboard in the key manager work.

Plus ride along fix for copying public key to clipboard in key manager

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/8258edd762d0
Silently ignore signature when streaming OpenPGP for quoting and no from email address is available. r=PatrickBrunschwig

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 77.0
You need to log in before you can comment on or make changes to this bug.