819171 - Automatic inclusion of files in an outgoing email

Status: RESOLVED FIXED

(Thunderbird :: Message Compose Window, defect)

Description

[Gary Bentley]

Attachment: Example link.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121024073032

Steps to reproduce:

When sending a HTML email, local files from your computer (and it may well work for network drives) can be sent automatically without user intervention.  There is no indication that the file is being sent nor, on the received email (so if you BCC yourself) that there are attachments.


Actual results:

If you copy and paste a full url link to a file on your computer in an email Thunderbird will automatically include this file as an attachment in the email.  However there is no user confirmation that this has occurred.  Also the sent email does not look as though there are attachments so the issue can be missed.

So if you copy/paste a chunk of HTML from a web page that contains the correct url the file will be automatically sent in the email.

For example:

<a href="file://c:/Windows/System32/dxdiag.exe">Click me</a>

the dxdiag.exe file will be sent in the email.

It's not a big jump to see how this could be used in a social engineering attack.


Expected results:

When you paste the link the "Attach the source of this link to the message" is automatically checked but the user isn't aware of it.

A message box asking for confirmation of the attachment should be displayed to the user.  This should happen every time and a setting made available to set the default behavior.

Comment 2

[Daniel Veditz [:dveditz]]

Confirming, and CC'ing Callek so he can check for the same problem in SeaMonkey.

There are two related problems, first that files are attached to the mail without warning, and second that they don't appear as attachments when received. (The file does appear as an attachment in my junk and trash folders, though.) The second is less serious than the first.

When links point at web destinations (I tried http:// and ftp://) the mail simply contains the links, this appears to be special file:/// behavior. Auto-attaching local files as in-line images without asking makes sense: the author knows that information will be sent because it shows up right there in the mail body, and how Thunderbird makes that happen is less important. But a link is a link--a reference--and including the file is surprising in a potentially bad way.

I agree it can be helpful in some cases, but it seems much safer to deal with it the way Thunderbird handles the case when the user mentions the word "attachment".

   "You have included a link to a local file to which recipients will not
    have access. Would you like to attach that file to this mail?"

Recipients might well have access to file:/// links on network drives if they work at the same company as the sender. In other cases it's possible the link came from copy/paste and was never intended to share the document. Could lead to some accidental DOSing of people if you linked to big documents. "Click here to download the Visual Studio installer from the network share"

Comment 3

[David Chan [:dchan]]

The bounty committee has decided that this bug doesn't qualify due to the low risk.

Comment 4

[Gary Bentley]

Is there an eta on when this will be fixed?  It has been 2 months now since the last comment on it.  This bug has already hit me once but I was lucky in that the recipient was a friendly.  However because the user has no knowledge it is occurring this could be happening a lot for people.

Comment 5

[Justin Wood (:Callek)]

(throwing a needinfo at myself, since I didn't notice this bug until now -- and the related "Callek..." needinfo's are my friend)

Comment 7

[Magnus Melin [:mkmelin]]

This is no longer an issue. Fixed by the rework in bug 1151366.