On Sunday, November 29, 2020 1:40:17 AM EST Nicholas Guriev wrote: > Proposed change offers to completely remove `attach` parameter. I don't > like to break existing features. It appears that it only removes the attach parameter for Thunderbird in that commit. Perhaps that's because other mail clients handle hidden attachments better. With xdg-email as packaged now KMail does in fact show an extra large warning about a hidden attachment (IIRC they had a related CVE not too long ago), but attachments seem to be visible in Thunderbird in any case.
It appears upstream versions of Thunderbird don't respect the ?attach parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style command-line arguments. These, as given from xdg-email, are considered trusted input and honored, as opposed to if mailto:foo?attach=bar were given to Thunderbird directly. xdg-email's conversion thus causes a misinterpretation of trust by Thunderbird. Thunderbird's intent to not support the ?attach parameter for untrusted clicks from browsers, but still allow non-URI command-line specified attachments seems a reasonable compromise. A solution which might let xdg-email practice the same is to honor the attachment, and convert it to a Thunderbird command-line parameter, if invoked as xdg-email --attach foo mailto:bar but discard it if invoked as xdg-email mailto:bar?attach=foo Indeed this seems to have been the intent from the description of the merge request: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 It looks like Reportbug's xdg-email backend uses the latter functionality, but it would probably be a trivial change to switch to the --attach form.
signature.asc
Description: This is a digitally signed message part.