An inline signed OpenPGP message having lines with leading whitespace fails to verify
Categories
(MailNews Core :: Security: OpenPGP, defect, P1)
Tracking
(thunderbird_esr78+ fixed, thunderbird85 fixed)
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(2 files)
47 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr78+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
|
Details | Review |
Receive an inline signed message, starting with BEGIN PGP SIGNED MESSAGE and (not PGP/MIME).
If the plain text message contains lines that begin with leading whitespace, the signature verification fails.
Assignee | ||
Comment 1•3 years ago
|
||
The failure is caused by the following line
msgText = EnigmailMsgRead.trimAllLines(msgText);
found in messageParse(), in file enigmailMessengerOverlay.js
Patrick, do you remember the intention of this trim?
It seems incorrect when processing an inline message.
Should this line be removed - or should trim be limited to certain scenarios?
Comment 2•3 years ago
|
||
I believe that this is only relevant for the conversion of certain HTML mails to plain text.
Assignee | ||
Comment 3•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/cd8a00e0e3b1
Limit trimming of OpenPGP messages to the separator line. r=PatrickBrunschwig DONTBUILD
Assignee | ||
Comment 5•3 years ago
|
||
I realize that the commit message no longer reflected reality.
We left-trim all lines for encrypted messages, and don't trim anything for signed messages.
Assignee | ||
Comment 6•3 years ago
|
||
Comment on attachment 9192000 [details]
Bug 1679769 - Limit trimming of OpenPGP messages to the separator line. r=PatrickBrunschwig
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: we show false security status
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): medium, potentially some other messages will get incorrect security status, but no scenario is known yet
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Hmm, there was no merge yet. So apparently this will automatically be part of the next beta, without beta uplift?
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #7)
Hmm, there was no merge yet. So apparently this will automatically be part of the next beta, without beta uplift?
I was wrong, the merge happened already, thanks to justdave for clarifying. I'll request beta uplift.
Comment 10•3 years ago
|
||
Would be preferable to land test and fix at the same time. I'll land the test for today's nightly.
Comment 11•3 years ago
|
||
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/73831e108c0a
Add test for signed inline message with leading whitespace. r=mkmelin
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 12•3 years ago
|
||
Comment on attachment 9193206 [details]
Bug 1679769 - Add test for signed inline message with leading whitespace. r=mkmelin
[Triage Comment]
Approved for beta
Comment 13•3 years ago
|
||
Comment on attachment 9192000 [details]
Bug 1679769 - Limit trimming of OpenPGP messages to the separator line. r=PatrickBrunschwig
[Triage Comment]
Approved for beta
Comment 14•3 years ago
|
||
bugherder uplift |
Thunderbird 85.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/44d6f6ef9434
https://hg.mozilla.org/releases/comm-beta/rev/34635409b5e5
Assignee | ||
Comment 15•3 years ago
|
||
Comment on attachment 9192000 [details]
Bug 1679769 - Limit trimming of OpenPGP messages to the separator line. r=PatrickBrunschwig
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: we show false security status
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): medium, potentially some other messages will get incorrect security status, but no scenario is known yet
Comment 16•3 years ago
|
||
Comment on attachment 9192000 [details]
Bug 1679769 - Limit trimming of OpenPGP messages to the separator line. r=PatrickBrunschwig
[Triage Comment]
Approved for esr78
Comment 17•3 years ago
|
||
bugherder uplift |
Description
•