Closed Bug 1778915 Opened 9 months ago Closed 9 months ago

Sending a message as attachment leads to unwanted X-Mozilla-Cloud-Part: cloudFile; header plus url with data constituting a privacy breach

Categories

(MailNews Core :: Composition, defect)

Product:
MailNews Core
Component:
Composition
Version:
Thunderbird 102
Type:
defect

Tracking

(thunderbird_esr102? fixed, thunderbird103 fixed)

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
thunderbird_esr102 ? fixed
thunderbird103 --- fixed

People

(Reporter: b1, Assigned: TbSync)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1778915 - Add x-mozilla-cloud-part header only for cloudFile attachments. r=#thunderbird-reviewers
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr102+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49

Steps to reproduce:

Attach a message as a message attachment.

Actual results:

The attachment header has:

X-Mozilla-Cloud-Part: cloudFile;
url=imap-message://user%40domain.com@mail.server.com/INBOX/Test#75
Content-Type: message/rfc822; charset=UTF-8; name="test.eml"
Content-Disposition: attachment; filename="test.eml"
Content-Transfer-Encoding: 7bit

Expected results:

The X-Mozilla-Cloud-Part is not needed, the second line constitutes a privacy breach, it's none of the recipients business to know the internals of the senders message storage.

Assignee: nobody → john

I found the same, still testing a few things.

Aesthetically it's unclear why you enter getXMozillaCloudPart() for non-cloud attachments, hence our proposal with the if-block outside the function.

Keywords: checkin-needed-tb

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/ca922791520a
Add x-mozilla-cloud-part header only for cloudFile attachments. r=thunderbird-reviewers,rjl

Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

Comment on attachment 9284889 [details]
Bug 1778915 - Add x-mozilla-cloud-part header only for cloudFile attachments. r=#thunderbird-reviewers

[Approval Request Comment]
Regression caused by (bug #):
1670791
User impact if declined:
Leak info about IMAP folder structure / account name in wrongly added x-mozilla-cloud-part header

Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):
Low, I only added an if-condition to include the header only if the attachment is a cloudFile attachment

Attachment #9284889 - Flags: approval-comm-beta?

Comment on attachment 9284889 [details]
Bug 1778915 - Add x-mozilla-cloud-part header only for cloudFile attachments. r=#thunderbird-reviewers

[Triage Comment]
Approved for beta

Attachment #9284889 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9284889 [details]
Bug 1778915 - Add x-mozilla-cloud-part header only for cloudFile attachments. r=#thunderbird-reviewers

[Approval Request Comment]
Regression caused by (bug #):
1670791
User impact if declined:
Leak info about IMAP folder structure / account name in wrongly added x-mozilla-cloud-part header

Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky):
Low, I only added an if-condition to include the header only if the attachment is a cloudFile attachment

Attachment #9284889 - Flags: approval-comm-esr102?

Comment on attachment 9284889 [details]
Bug 1778915 - Add x-mozilla-cloud-part header only for cloudFile attachments. r=#thunderbird-reviewers

[Triage Comment]
Approved for esr102

Attachment #9284889 - Flags: approval-comm-esr102? → approval-comm-esr102+
You need to log in before you can comment on or make changes to this bug.