239954 - Block loading of remote images lets TD backgrounds through

Status: RESOLVED WORKSFORME

(Thunderbird :: Preferences, defect)

Description

[Lars Petersen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040404 Firefox/0.8.0+ (mmoy-O2-GL7-SSE2-crc32-gifalloc)
Build Identifier: Mozilla Thunderbird 0.5+ (20040330) (swalker)

I just noticed today on two separate emails that TD's with the background
attribute loads remote images even if you've set it in preferences not to.
An offending line in the HTML mail looks like so in a Bioware newsletter:

<td width="460" colspan="3"
background="http://nsl.bioware.com/bc12/communitybar.jpg"
style="background-image: url(http://nsl.bioware.com/bc12/communitybar.jpg);
width: 460px; height: 32px; padding: 0 15px 5px 15px;">

Hope it helps :)

Reproducible: Always
Steps to Reproduce:




I'm setting it as Major because spammers could use it for web beacons...

Comment 1

[Jeff Van Boxtel]

I can confirm this happens with the latest RC build of Thunderbird 0.6. It is
always reproducable by e-mailing yourself with the following HTML in your message:

<p style="background: transparent url(http://anyurl.com/image.gif) repeat-x
scroll 0%; -moz-background-clip: initial; -moz-background-origin: initial;
-moz-background-inline-policy: initial;">This uses the URL for a background
image even when Block Remote images is enabled.</p>

Comment 2

[Jimmy Prince]

There's the same flaw on the BODY tag of the message.
For example,
<BODY background="http://server.com/image.gif">
gets loaded even though it should be blocked.

Comment 3

[Thibaut Allender]

same result with something like :

<style type="text/css">
body {
background: url(http://some.site/some.image);
}
</style>

Comment 4

[Jeremy B. Smith]

I am noticing the same thing, but this time its the table element who's
background is set, such as in the following:

<table background="http://www.abcxyz.def/image.png">

(thunderbird version 0.6)

Comment 5

[Michael Wenger]

Attachment: An .eml-File demonstrating the bug.

I can confirm this bug for Thunderbird 0.7.1.
Obviously, the developers did not consider the (deprecated)
background-attribute of several HTML-elements and the possibilty to define
background images within style sheets respectively within the style-attribute.

As a temorary workaround, I have exclusively allowed these ports for
Thunderbird in my firewall:
SMTP:	25
IMAP4: 143 (using TLS/SSL): 993
POP3:  110 (using TLS/SSL): 995

I have attached an .eml-file which demonstrates the possibility to load
external images by using the background-attribute inside the body-element and
by using the style-attribute.
You can import the .eml-file into Thunderbird by using this extension:
http://www.supportware.net/mozilla/#ext9

Comment 6

[Anthony Lieuallen]

Confirm this bug still exists in Thunderbird version 0.7.3 (20040803). 
Background images should be blocked just like <img> images.

Comment 7

[Lorenzo Colitti]

*** Bug 250735 has been marked as a duplicate of this bug. ***

Comment 8

[Lorenzo Colitti]

Confirming with a recent branch tree from CVS.
When I look at attachment 154152 [details], I see the flowers. :)

Comment 9

[Michael Wenger]

The bug seems to be resolved with the release of TB 0.8.
At least my demonstation file won't display any background images anymore.
Great work. Thanks a lot.

Yours,
Michael

Comment 10

[Alexey N. Solofnenko]

Thunderbird 0.9+ 20041105

I think this a problem with styles. I have tried to do the same with a
background style:

"background: white url(http://site/picture.gif) fixed no-repeat right bottom"

and removed the explicit background image path. After that the image was not 
attached to the email and it was shown even when image downloading is disabled. 

So there are two problems:
1. Style urls are not blocked.
2. Images referenced in styles are not attached to the message and their urls
are not updated.

Comment 11

[Simon Paquet [:sipaq]]

I no longer see this on TB 1.0