Re: a DoS vulnerability associated with conflated Message-IDs?

2017-08-04 Thread Daniel Kahn Gillmor 
On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang  writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
>>  wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message.  I think this could be a vulnerability :(
>>> 
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>> 
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came.  It turns out my maildir already contained a message from the
>> same system.  From three years ago.  With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).

otoh, we now enable some additional (perhaps weirder) attacks, like:

 * i can make someone else's mail show up in your mailbox with a search
   term of my choosing by sending you a new mail co-opting their
   message-id.

we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.

   --dkg
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

[PATCH] test: add broken tests for maildir syncing

2017-08-04 Thread David Bremner 
Users should be able to specify synced tags in new.tags
---

Anarcat had an interesting idea about using "flagged" in new.tags, but
it doesn't work, because of (I think) the following code:

for (tag = state->new_tags; *tag != NULL; tag++)
notmuch_message_add_tag (message, *tag);
if (state->synchronize_flags)
notmuch_message_maildir_flags_to_tags (message);

i.e. the tags are removed because the newly delivered message doesn't
have them.

FWIW, notmuch-insert does the right thing, I think

 test/T340-maildir-sync.sh | 24 +++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/test/T340-maildir-sync.sh b/test/T340-maildir-sync.sh
index 959bf8d8..172c22eb 100755
--- a/test/T340-maildir-sync.sh
+++ b/test/T340-maildir-sync.sh
@@ -181,11 +181,33 @@ test_expect_equal "$(cd $MAIL_DIR/cur/; ls 
non-compliant*)" "non-compliant-maild
 
 test_begin_subtest "Files in new/ get default synchronized tags"
 OLDCONFIG=$(notmuch config get new.tags)
-notmuch config set new.tags test
+notmuch config set new.tags test;unread
 add_message [subject]='"File in new/"' [dir]=new [filename]='file-in-new'
 notmuch config set new.tags $OLDCONFIG
 notmuch search 'subject:"File in new"' | notmuch_search_sanitize > output
 test_expect_equal "$(< output)" \
 "thread:XXX   2001-01-05 [1/1] Notmuch Test Suite; File in new/ (test unread)"
 
+test_begin_subtest "unread is not mandatory in new/"
+test_subtest_known_broken
+OLDCONFIG=$(notmuch config get new.tags)
+notmuch config set new.tags test
+add_message [subject]='"File in new/"' [dir]=new [filename]='file-in-new'
+notmuch config set new.tags $OLDCONFIG
+notmuch search 'subject:"File in new"' | notmuch_search_sanitize > output
+test_expect_equal "$(< output)" \
+"thread:XXX   2001-01-05 [1/1] Notmuch Test Suite; File in new/ (test)"
+
+for tag in draft flagged passed replied; do
+
+test_begin_subtest "$tag is valid in new.tags"
+test_subtest_known_broken
+OLDCONFIG=$(notmuch config get new.tags)
+notmuch config set new.tags "$tag"
+add_message [subject]="\"$tag sync in new\"" [dir]=new
+notmuch config set new.tags $OLDCONFIG
+notmuch search subject:"$tag in new" | notmuch_search_sanitize > output
+test_expect_equal "$(< output)" \
+ "thread:XXX   2001-01-05 [1/1] Notmuch Test Suite; $tag 
sync in new ($tag)"
+done
 test_done
-- 
2.13.2

___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: a DoS vulnerability associated with conflated Message-IDs?

2017-08-04 Thread David Bremner 
Peter Wang  writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
>  wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> 
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> 
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch