Closed Bug 737401 Opened 12 years ago Closed 12 years ago

Secure email should send the "real" subject instead of the sanitized subject in the encrypted message body

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: benjamin, Assigned: glob)

References

Details

Attachments

(1 file, 1 obsolete file)

patch v2
3.37 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
Using S/MIME secure mail: the outer email subject is correct:

To: benjamin@smedbergs.us
Subject: [Bug 737307] (Secure bug updated)

But the encrypted subject inside the body should be the "real" subject and not the sanitized version:

$ openssl smime -decrypt -in securemail.eml -inkey ***
Enter pass phrase for ***:
Subject: [Bug 737307] (Secure bug updated)
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
i think you're actually getting a corrupted body somehow, because the content-type and mime-version headers shouldn't be present in the body.

looking at the code, the unencrypted subject is only injected into the body if pgp is being used, not s/mime.
(In reply to Byron Jones ‹:glob› from comment #1)
> i think you're actually getting a corrupted body somehow, because the
> content-type and mime-version headers shouldn't be present in the body.

ah, that's just what Crypt::SMIME does.

we should be able to fix this by doing the subject fixup after the s/mime encryption (but before pgp).
Assignee: nobody → glob
Attached patch patch v1 (obsolete) — Splinter Review 
moves the subject sanitisation to after encryption has occurred.
Attachment #607554 - Flags: review?(gerv)
Comment on attachment 607554 [details] [diff] [review]
patch v1

oh, i forgot to fix:

> looking at the code, the unencrypted subject is only injected into the body
> if pgp is being used, not s/mime.

will fix after sleep.
Attachment #607554 - Attachment is obsolete: true
Attachment #607554 - Flags: review?(gerv)
Blocks: 737725
from bug 737725 - we have to use CRLF in the strings we prepend to the body.
Attached patch patch v2Splinter Review 
this revision always prepends the subject to the body (with CRLF line endings).
Attachment #607862 - Flags: review?(dkl)
One question: has the call to encode() been removed on purpose?

Also, I'd prefer upper-case values for $key_type ("SMIME" and "PGP")... :-)

Gerv
(In reply to Gervase Markham [:gerv] from comment #7)
> One question: has the call to encode() been removed on purpose?

yes, because i update the body in the $email object, and then pass $email->body to pgp, which is the encoded version.

> Also, I'd prefer upper-case values for $key_type ("SMIME" and "PGP")... :-)

no worries; i'll fix that on the next revision or on commit :)
(In reply to Al Billings [:abillings] from Bug 737883 comment #6)
> There is discussion in another bug that if
> you're using s/mime, which includes an encrypted subject in the body, of
> getting that set up to be pulled into the subject of the message when
> decrypted somehow.

correct, however this subject isn't used to replace the non-encrypted subject in all email clients (the rfc says the client _may_ not _should_ do this).  thunderbird doesn't behave this way :(

it also doesn't help people who are using pgp encryption, or those who don't, or can't, provide a key (such as gmail and some accounts which are distribution lists).
Comment on attachment 607862 [details] [diff] [review]
patch v2

Review of attachment 607862 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and works as expected. r=dkl
Attachment #607862 - Flags: review?(dkl) → review+
Error in the log:

[Thu Mar 22 00:22:25 2012] [error] [client ::1] Use of uninitialized value $key_type in string eq at ./extensions/SecureMail/Extension.pm line 285.  at ./extensions/SecureMail/Extension.pm line 258 \tBugzilla::Extension::SecureMail::_make_secure(...) called at ./extensions/SecureMail/Extension.pm line 232 \tBugzilla::Extension::SecureMail::mailer_before_send(...) called at Bugzilla/Hook.pm line 33 \tBugzilla::Hook::process(...) called at Bugzilla/Mailer.pm line 174 \tBugzilla::Mailer::MessageToMTA(...) called at Bugzilla/BugMail.pm line 602 \tBugzilla::BugMail::sendMail(...) called at Bugzilla/BugMail.pm line 442 \tBugzilla::BugMail::Send(...) called at /home/dkl/devel/htdocs/stable/attachment.cgi line 734 \tmain::update(...) called at /home/dkl/devel/htdocs/stable/attachment.cgi line 132 , referer: http://fedora/stable/attachment.cgi?id=142263&action=edit
uninitialized warning fixed on commit.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.0/
modified extensions/SecureMail/Extension.pm
Committed revision 8102.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/SecureMail/Extension.pm
Committed revision 8089.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bugzilla/extensions/securemail/4.0/
modified Extension.pm
Committed revision 17.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Depends on: 738154
No longer blocks: 737725
Component: Extensions: SecureMail → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: