[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-06-17 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

Christophe Giboudeaux  changed:

   What|Removed |Added

 CC||axel.br...@gmx.de

--- Comment #20 from Christophe Giboudeaux  ---
*** Bug 395448 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-26 Thread Volker Krause 
https://bugs.kde.org/show_bug.cgi?id=394554

Volker Krause  changed:

   What|Removed |Added

  Latest Commit||https://commits.kde.org/mes
   ||sagelib/9669e2622ee26ac748d
   ||64b567562889ad5f190ef
 Status|CONFIRMED   |RESOLVED
 Resolution|--- |FIXED

--- Comment #19 from Volker Krause  ---
Git commit 9669e2622ee26ac748d64b567562889ad5f190ef by Volker Krause.
Committed on 26/05/2018 at 08:38.
Pushed by vkrause into branch 'Applications/18.04'.

Ensure we always reset the external reference override

Summary:
So far there were apparently cases where this got stuck on enabled even
when switching between emails.

Reviewers: cgiboudeaux, knauss, mlaurent

Reviewed By: knauss

Subscribers: kde-pim

Tags: #kde_pim

Differential Revision: https://phabricator.kde.org/D13096

M  +1-0messageviewer/src/viewer/viewer_p.cpp

https://commits.kde.org/messagelib/9669e2622ee26ac748d64b567562889ad5f190ef

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #18 from Gunter Ohrner  ---
(In reply to Christophe Giboudeaux from comment #15)
> Did you load external references for another message in the same folder
> before reading this one ?
> 
> OK, I can reproduce something weird with master:
> 
> in folder X, I loaded external references for one email, then I switched to
> another html message and clicked on the sidebar to switch from plaintext to
> html and the external references were loaded.
> 
> (The senders/company have nothing in common)

Good catch! I was literally trying for hours to find a pattern. (Ok, most of
the time got wasted while dealing with disk-full problems thanks to
byzanz-record - to record a proof as GIF screencast - filling /tmp/ in no time
by default... ;)

I also can reproduce it using this pattern. Possibly it was what I was doing
all the time.

During my tests and using Wireshark I definitely saw kMail doing network
accesses without any prior confirmation for the rendered email.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Volker Krause 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #17 from Volker Krause  ---
Possible fix: https://phabricator.kde.org/D13096

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

Christophe Giboudeaux  changed:

   What|Removed |Added

 Ever confirmed|0   |1
 Status|UNCONFIRMED |CONFIRMED

--- Comment #16 from Christophe Giboudeaux  ---
Tested different patterns:
1 html only + one multipart messages in one folder
2 multiparts in one folder
1 html only + one multipart messages in two folders
2 multipart messages in two folders

I can reproduce with every test.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #15 from Christophe Giboudeaux  ---
Did you load external references for another message in the same folder before
reading this one ?

OK, I can reproduce something weird with master:

in folder X, I loaded external references for one email, then I switched to
another html message and clicked on the sidebar to switch from plaintext to
html and the external references were loaded.

(The senders/company have nothing in common)

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #14 from Gunter Ohrner  ---
Ok, it really gets somewhat strange now:

* I got an HTML mail (again some GDPR notification from a company) and kMail
rendered the externally referenced logo immediately after activating HTML
rendering.
* Afterwards I closed kMail, reopened it and reopened the mail again - now
kMail correctly asked if external references shall really be displayed, as
expected.

I need to do further tests, but could it be possible that "something else"
already accesses and fetches the image before the mail is actually displayed,
such that the image is cached when kMail finally is asked to render it and an
additional network access is not necessary any more?

In this case the security issue would be somewhere else.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #13 from Gunter Ohrner  ---
(In reply to Gunter Ohrner from comment #12)
> However, with the example message I attached, I was never asked. The image
> was displayed immediately when opening the message for the first time and
> chosing "render HTML".
> 
> I'll check if it does network access in this case, but I would not know
> where else it would get the image from.

Today, kMail correctly asks if I really want to load external references if I
try to open this mail.

I don't really understand this, but looks as if I need to do some further
research... :-/

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #12 from Gunter Ohrner  ---
(In reply to Volker Krause from comment #11)
> One thing I noticed during testing this is that once you loaded external
> references for an email, the next display of HTML content without confirming
> loading external references can be served from the web engine cache, and
> neither show the external content warning nor perform any network access.
> Restarting KMail seemed to reset that here though.

That's probably the same thing I referred to in:

(comment #10 from Gunter Ohrner)
> After confirming this once, it seems to be remembered by kMail for this
> message and I do not have to confirm it on subsequent displays.


However, with the example message I attached, I was never asked. The image was
displayed immediately when opening the message for the first time and chosing
"render HTML".

I'll check if it does network access in this case, but I would not know where
else it would get the image from.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-24 Thread Volker Krause 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #11 from Volker Krause  ---
One thing I noticed during testing this is that once you loaded external
references for an email, the next display of HTML content without confirming
loading external references can be served from the web engine cache, and
neither show the external content warning nor perform any network access.
Restarting KMail seemed to reset that here though.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-23 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #10 from Gunter Ohrner  ---
Created attachment 112825
  --> https://bugs.kde.org/attachment.cgi?id=112825=edit
Message with which I can reproduce the behaviour.

kMail will show the image referenced in the attached message file as soon as
"render HTML content" is activated.

None of the used mail addresses is contained in my address book.

However, I also encountered HTML mails - in the same folder - for which I'm
asked if I want to allow loading of external references.

After confirming this once, it seems to be remembered by kMail for this message
and I do not have to confirm it on subsequent displays.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-23 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #9 from Gunter Ohrner  ---
Addendum: This menu entry is in the same state (unchecked, but greyed-out) for
the other folder in which external references are *not* loaded automatically.

I cannot see any difference in the GUI between those two.

Is there any other place or setting I should check? Is there any really stupid
mistake or oversight I could have fallen victim to?

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-23 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #8 from Gunter Ohrner  ---
Created attachment 112823
  --> https://bugs.kde.org/attachment.cgi?id=112823=edit
"Load external references" entry in "Folder" menu for folder in question

This entry is disabled (greyed-out) for the folder in question, my inbox, but
it's unselected in any case. See attached screenshot.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Volker Krause 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #7 from Volker Krause  ---
It's in the main menu: Folder > Load External References

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #6 from Gunter Ohrner  ---
Mh, maybe I'm doing something stupid, but I still don't know what.

Apparently, this does not happen in all folders, but it does happen in my Inbox
folder. I didn't knowingly switch any setting, and it definitely worked in the
past.

Where can I find the per-folder setting? At a first glance, I could not find
anything in right-click -> Properties?

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Volker Krause 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #5 from Volker Krause  ---
That would be a very serious security issue obviously, but I can't reproduce
this here either.

Besides the global setting, there is a per-folder setting for this (Folder ->
Load External References). Is that also switched off?

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

Christophe Giboudeaux  changed:

   What|Removed |Added

 CC||vkra...@kde.org

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #4 from Christophe Giboudeaux  ---
Created attachment 112813
  --> https://bugs.kde.org/attachment.cgi?id=112813=edit
html email from indeed

Can't reproduce locally, tcpdump also shows no traffic if the external
references aren't loaded.

Is the sender email address in your address book ?

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #3 from Gunter Ohrner  ---
Created attachment 112810
  --> https://bugs.kde.org/attachment.cgi?id=112810=edit
kMail security configuration

kMail configuration pane showing the disabled "external references" checkbox.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Gunter Ohrner 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #2 from Gunter Ohrner  ---
Created attachment 112809
  --> https://bugs.kde.org/attachment.cgi?id=112809=edit
HTML mail from indeed.com

Yes, every HTML mail with external image references I tested before opening
this issue. See attached screenshot for one example.

The segment with the logo image looks as follows:


http://www.indeed.com/?utm_source=jobseeker_emails_medium=email_campaign=tos;>
http://tophat-cms-prod.s3.amazonaws.com/wp-content/uploads/2016/02/18221139/logo9.png;
width="130" style="width:130px; font:bold 34px/38px HelveticaNeue, Helvetica,
Arial, Roboto, Noto, sans-serif; color:#2164f3; vertical-align:top;"
alt="Indeed" />



I only clicked the "activate HTML rendering", I did not confirm the loading of
any external references.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kmail2] [Bug 394554] Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

2018-05-22 Thread Christophe Giboudeaux 
https://bugs.kde.org/show_bug.cgi?id=394554

--- Comment #1 from Christophe Giboudeaux  ---
"seems to load" or you have any evidence/test message or anything showing the
issue you report ?

-- 
You are receiving this mail because:
You are watching all bug changes.