Closed Bug 451840 Opened 16 years ago Closed 16 years ago

downloads remote images when email forwarded

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 263345

People

(Reporter: dcsheppard, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: thunderbird build 2.0.0.16 (20080708)

For security reasons the remote images are not downloaded when the original email is displayed. However, because this was a phishing email I copied it to the appropriate reporting authority but I was shocked to find that the images had been downloaded in the copied email.  Surely the remote images should still be blocked?

Reproducible: Always

Steps to Reproduce:
1.Copy email with remote images and forward.
Forward email has images displayed.
2.
3.
Actual Results:  
Remote images are downloaded

Expected Results:  
Remote images should be blocked
I'm not able to reproduce this in 2.0.0.16 on Windows.  When I forward the message with an external image, a placeholder shows up with the alternate text, but no image, and the web server logs don't show the image as having been retrieved.

Can you try reproducing this with a non-phishing E-Mail?  I wonder if the phishing E-Mail is doing something that's tricking the normal image blocking.

This was formerly a problem, but was fixed in bug 263345 by way of bug 330443.  SeaMonkey has a similar bug 370552, which may be related.
Whiteboard: closeme 2008-09-11
Because my email server won't accept forwarded mail I actually selected all the email and copied and pasted to a new message.  This pasted text showed the blocked images.
This is what my tests showed:

Actually forwarding or replying via the forward/reply commands do not load remote images. Copying the text into the composer does, however, load remote images. The text copy is most likely copying raw HTML, so the compose window is probably unable to differentiate between "I copied this from my browser", "I copied this from an email", and "I copied this from an email with remote images blocked.

Disabling remote images in compose for new types (compose disables for all but new compositions, unless overridden) is probably worse than enabling it.

In any case, the original specification of the bug, in email forwarding, is a duplicate of bug 263345.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Whiteboard: closeme 2008-09-11
You need to log in before you can comment on or make changes to this bug.