[kmail2] [Bug 435516] New: PGP PUBLIC KEY BLOCK silently removed from view
https://bugs.kde.org/show_bug.cgi?id=435516 Bug ID: 435516 Summary: PGP PUBLIC KEY BLOCK silently removed from view Product: kmail2 Version: 5.15.3 Platform: Debian testing OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: message list Assignee: kdepim-b...@kde.org Reporter: t...@tiwe.de Target Milestone: --- Created attachment 137436 --> https://bugs.kde.org/attachment.cgi?id=137436&action=edit example mail SUMMARY PGP PUBLIC KEY BLOCK is silently removed from mail view. When viewing a text-only mail I don't expect anything to be removed. What else is removed from mail bodies? What can be hidden from a recipient using kmail, even in signed mails? STEPS TO REPRODUCE 1. view example mail (attached) OBSERVED RESULT no public key displayed, neither inline nor as an attachment EXPECTED RESULT public key block shown inline ready to be copied SOFTWARE/OS VERSIONS Linux/KDE Plasma: (available in About System) KDE Plasma Version: KDE Frameworks Version: 5.78.0 Qt Version: 5.15.2 ADDITIONAL INFORMATION -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 431218] mail viewer loads external fonts even with external refs disabled
https://bugs.kde.org/show_bug.cgi?id=431218 --- Comment #5 from Timo Weingärtner --- Why should an email be able to load images from my home directory? What is the use case for loading images from file:// ? -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 431218] mail viewer loads external fonts even with external refs disabled
https://bugs.kde.org/show_bug.cgi?id=431218 --- Comment #3 from Timo Weingärtner --- I sent you a test case in private mail. When reading your patch and the surrounding code it looks like only some (images, now also fonts) request types are blacklisted. What about external style sheets or other types that might grow in HTML-land? Are there any external requests you think should be allowed? Regarding URL schemes: why is file:// allowed? I could think of some social engineering attacks that might work by including files from the victims computer. I would read "external request" as external to the e-mail in question. To me the function could be as simple as: 8<8< bool LoadExternalReferencesUrlInterceptor::interceptRequest(QWebEngineUrlRequestInfo &info) { if (mAllowLoadExternalReference) { return false; } const QString scheme = info.requestUrl().scheme(); if (scheme == QLatin1String("data") || scheme == QLatin1String("cid")) { return false; } return true; } 8<8< -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 431218] New: mail viewer loads external fonts even with external refs disabled
https://bugs.kde.org/show_bug.cgi?id=431218 Bug ID: 431218 Summary: mail viewer loads external fonts even with external refs disabled Product: kmail2 Version: 5.15.3 Platform: Debian testing OS: Linux Status: REPORTED Severity: grave Priority: NOR Component: UI Assignee: kdepim-b...@kde.org Reporter: t...@tiwe.de Target Milestone: --- SUMMARY not sure about component severity: grave for security/privacy/tracking problem STEPS TO REPRODUCE 1. view HTML mail with
[kmail2] [Bug 427091] Kmail gpg bad signature if From header contains non-ascii characters
https://bugs.kde.org/show_bug.cgi?id=427091 Timo Weingärtner changed: What|Removed |Added CC||t...@tiwe.de --- Comment #3 from Timo Weingärtner --- In my config 8859-1 is not in the list, but kmail changes encondig to it anyways. -- You are receiving this mail because: You are watching all bug changes.
[kmail2] [Bug 324443] REGRESSION: localhost: Cannot fetch item in offline mode
https://bugs.kde.org/show_bug.cgi?id=324443 Timo Weingärtner changed: What|Removed |Added Version|4.10.5 |5.2.3 --- Comment #2 from Timo Weingärtner --- This bug is still present in KMail 5.2.3. When disconnecting all NM connections KMail shows: ---8<---8<--- Offline KMail is currently in offline mode. Click here to go online . . . ---8<---8<--- but clicking "here" doesn't help. Relying on NM to tell if a server is reachable is a heuristic and the heuristic is wrong. A better heuristic might be to run "ip route get $SERVER" which might incur a DNS timeout if a hostname is used. -- You are receiving this mail because: You are watching all bug changes.