Closed Bug 723086 Opened 12 years ago Closed 11 years ago

Invalid S/MIME Content-Description mail header - Non-encoded 8-bit data

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird11 wontfix, thunderbird12 affected, thunderbird13 affected, thunderbird-esr10 affected)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 27.0
Tracking Flags:
Tracking Status
thunderbird11 --- wontfix
thunderbird12 --- affected
thunderbird13 --- affected
thunderbird-esr10 --- affected

People

(Reporter: tkrah, Assigned: mkmelin)

References

Details

(Keywords: regression, Whiteboard: [regression:TB5])

Attachments

(1 file, 2 obsolete files)

bug723086_s-mime-content_description_v2.patch
3.88 KB, patch
jcranmer
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Ubuntu; X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Build ID: 20111228084940

Steps to reproduce:

Using Thunderbird 9.0.x or 10.0 i did write and text/plain email. Checked smime signature and smime encryption.
I am using the german port of thunderbird.


Actual results:

The email created does contain non-encoded 8bit data in its mail header (Content-Description):

Content-Description: S/MIME Verschlüsselte Nachricht

But the german "ü" should have beed encoded, e.g. using quoted printable.



Expected results:

The header should not show any non-encoded 8bit data, instead it should be encoded.
Component: Message Compose Window → Security
QA Contact: message-compose → thunderbird
I can CONFIRM this observation with TB 10.0.1 on Linux. But in fact, I don't think that content-description should be localised at all:

Some MUAs (mutt, horde) use content-description along with the other fields to decide whether the message is signed only or encrypted also. Decrypting a TB-encrypted message with localised content-description fails in mutt; reverting content-description back to the English version enables mutt to decrypt that message again.

So please: Do not localise content-description.
Bug 507804 is the cause of this bug.

Workaround is to change these strings back to English:
(/mail/locales/en-US/chrome/messenger/am-smime.properties)
## Strings used by nsMsgComposeSecure
mime_multipartSignedBlurb=This is a cryptographically signed message in MIME format.
mime_smimeEncryptedContentDesc=S/MIME Encrypted Message
mime_smimeSignatureContentDesc=S/MIME Cryptographic Signature
(In reply to Masahiko Imanaka [:marsf] from comment #2)
> Bug 507804 is the cause of this bug.
> 
> Workaround is to change these strings back to English:
> (/mail/locales/en-US/chrome/messenger/am-smime.properties)
> ## Strings used by nsMsgComposeSecure
> mime_multipartSignedBlurb=This is a cryptographically signed message in MIME
> format.
> mime_smimeEncryptedContentDesc=S/MIME Encrypted Message
> mime_smimeSignatureContentDesc=S/MIME Cryptographic Signature

Is there a better way than this that could be created in the form of a patch ?
Blocks: 507804
This was thought of but apparently no tested until now.

(In reply to David :Bienvenu from bug 507804 comment #18)
> (In reply to comment #17)
> > David, what will happen if people actually translate these strings, and we end
> > up with non-ascii text in the ascii email headers? Couldn't that cause
> > problems?
> 
> We convert them to utf8 (two of these are message header values, the other
> goes into the message body, right?). I think the message send code should
> figure out the right encoding, unless the s/mime code inserts itself into
> the process too late. We should definitely try this and see that we're not
> generating invalid headers or message body.
Status: UNCONFIRMED → NEW
status-thunderbird11: --- → wontfix
status-thunderbird12: --- → affected
status-thunderbird13: --- → affected
status-thunderbird-esr10: --- → affected
Ever confirmed: true
If I'm reading my standards correctly, then in http://tools.ietf.org/html/rfc5335 section 4.3, it states:

=====
To allow the use of UTF-8 in a Content-Description header field
   [RFC2045], the following syntax is used:

   description   = "Content-Description:" unstructured CRLF

   The <utext> syntax is extended above to allow UTF-8 in all
   <unstructured> header fields.
=====

So as of RFC 5335, then utf-8 strings are allowed in the Content-Description header. However, that is still officially an experimental rfc, so possibly as referenced in comment 4, we probably need this encoded in some form.
There are really two issues here:

A) Should the header field be localized?
B) Is (and if: how is) UTF-8 used in the field?

If the answer to A is "no" then B is a non-issue.

And I'm still maintaining that the answer to A should be "no", as argued in comment #1.
(In reply to Mark Banner (:standard8) from comment #6)
> If I'm reading my standards correctly, then in
> http://tools.ietf.org/html/rfc5335 section 4.3, it states:

RFC 5335 is experimental and obsoleted by RFC 6532 (which is proposed standard), but the latter was published only 8 months ago.

> So as of RFC 5335, then utf-8 strings are allowed in the Content-Description
> header. However, that is still officially an experimental rfc, so possibly
> as referenced in comment 4, we probably need this encoded in some form.

UTF-8 headers are valid, but, strictly-speaking, only if we can guarantee that our underlying transport handles them correctly. I don't recall how our entire MIME composition-and-send pipeline works, but I'm pretty sure we don't check for 8-bit MIME support before rewriting with RFC 2047, so we probably ought to unconditionally encode as necessary for now.
Attached patch proposed fix (obsolete) — Splinter Review 
So according to rfc 6532 utf-8 is allowed - but obviously there's still problems.

Making a string mime encoded doesn't seem anywhere easy to me. But then again, i don't see why we would need to have this localized. This is stuff only ever seen by people looking at the message source. So, i propose to just use the raw English strings. (We have better things to spend time on.)
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Attachment #794221 - Flags: review?(mbanner)
Component: Security → Security: S/MIME
OS: Linux → All
Product: Thunderbird → MailNews Core
Hardware: x86_64 → All
Comment on attachment 794221 [details] [diff] [review]
proposed fix

Review of attachment 794221 [details] [diff] [review]:
-----------------------------------------------------------------

jcranmers new encoder does seem to make it way less painful.

Btw, should fieldnamelen include colon and space?
http://mxr.mozilla.org/comm-central/source/mailnews/mime/public/nsIMimeConverter.idl#39
Attachment #794221 - Flags: review?(mbanner)
Encoding then...
Attachment #794221 - Attachment is obsolete: true
Attachment #794790 - Flags: review?(Pidgeot18)
Comment on attachment 794790 [details] [diff] [review]
bug723086_s-mime-content_description_v2.patch

Not this one...
Attachment #794790 - Attachment is obsolete: true
Attachment #794790 - Flags: review?(Pidgeot18)
Comment on attachment 794790 [details] [diff] [review]
bug723086_s-mime-content_description_v2.patch

Eh, so it's the correct uploaded patch after all.
Attachment #794790 - Attachment is obsolete: false
Attachment #794790 - Flags: review?(Pidgeot18)
Comment on attachment 794790 [details] [diff] [review]
bug723086_s-mime-content_description_v2.patch

Review of attachment 794790 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay.

::: mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@@ +473,5 @@
> +     do_GetService(NS_MIME_CONVERTER_CONTRACTID, &rv);
> +  NS_ENSURE_SUCCESS(rv, rv);
> +  char *encodedContentDescription = nullptr;
> +  mimeConverter->EncodeMimePartIIStr_UTF8(enc_content_desc_utf8, false,
> +      NS_LITERAL_CSTRING("UTF-8").get(),

We call this "UTF-8" :-)

@@ +476,5 @@
> +  mimeConverter->EncodeMimePartIIStr_UTF8(enc_content_desc_utf8, false,
> +      NS_LITERAL_CSTRING("UTF-8").get(),
> +      sizeof("Content-Description: "),
> +      nsIMimeConverter::MIME_ENCODED_WORD_SIZE,
> +      &encodedContentDescription);

You never free encodedContent. Sticking this in an nsCString and using getter_Copies is preferable.
Attachment #794790 - Flags: review?(Pidgeot18) → review-
Indeed ;)
Attachment #794790 - Attachment is obsolete: true
Attachment #804876 - Flags: review?(Pidgeot18)
Summary: Invalid Content-Description mail header - Non-encoded 8-bit data → Invalid S/MIME Content-Description mail header - Non-encoded 8-bit data
Comment on attachment 804876 [details] [diff] [review]
bug723086_s-mime-content_description_v2.patch

Review of attachment 804876 [details] [diff] [review]:
-----------------------------------------------------------------

::: mailnews/extensions/smime/src/nsMsgComposeSecure.cpp
@@ +624,1 @@
>            

Clean up this trailing whitespace while you're near?
Attachment #804876 - Flags: review?(Pidgeot18) → review+
https://hg.mozilla.org/comm-central/rev/61512a3e1797 -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 27.0
Keywords: regression
Whiteboard: [regression:TB5]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: