GNU bug report logs -
#47616
27.1; hardening mail-envelope-from
Previous Next
Reported by: Francesco Potortì <pot <at> gnu.org>
Date: Tue, 6 Apr 2021 12:43:02 UTC
Severity: normal
Tags: fixed
Found in version 27.1
Fixed in version 28.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47616 in the body.
You can then email your comments to 47616 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Tue, 06 Apr 2021 12:43:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Francesco Potortì <pot <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 06 Apr 2021 12:43:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
in mail-utils.el the function mail-fetch-field thus notes in the doc
string:
The buffer should be narrowed to just the header, else false
matches may be returned from the message body.
In fact, both sendmail-send-it and smtp-send-it use mail-envelope-from,
which calls mail-fetch-field without narrowing, which in fact causes a
false match if:
- you forward a message with "From: " at begining of line
- message-forward-as-mime is nil
- mail-specify-envelope-from is t
- mail-envelope-from is 'header
In this case, both sendmail-send-it and smptmail-send-it try to see if
they should set the From: field and the sender, and both get a false
match from mail-envelope-from.
Apparently, the problem with sendmail-send-it is corrected later in the
code (I don't know where) so the mail is sent correctly, which is why I
had never realised this until I started using smtpmail-send-it, which
sets a wrong From: header copied from the forwarded message.
Hardening mail-envelope-from from sendmail.el by narrowing to the
headers, as the doc says, corrects the problem that I observed.
(defun mail-envelope-from ()
"Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
(or (if (eq mail-envelope-from 'header)
(nth 1 (mail-extract-address-components
(save-restriction
(save-excursion
(goto-char (point-max))
(re-search-backward
(concat "^" (regexp-quote mail-header-separator) "\n")
nil t)
(narrow-to-region (point-min) (point))
(mail-fetch-field "From")))))
mail-envelope-from)
user-mail-address))
This introduces a small semantic change for the meaning of the
mail-envelope-from variable. Currently, the docs says:
If non-nil, designate the envelope-from address when sending mail.
This only has an effect if `mail-specify-envelope-from’ is non-nil.
The value should be either a string, or the symbol `header’ (in
which case the contents of the "From" header of the message
being sent is used), or nil (in which case the value of
‘user-mail-address’ is used).
The last two lines should be instead:
...
being sent is used, if one exists). If the value is nil, or if it is
`header' and no "From" header is found in the message, the value of
‘user-mail-address’ is used.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Wed, 07 Apr 2021 15:07:01 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
>(defun mail-envelope-from ()
> "Return the envelope mail address to use when sending mail.
>This function uses `mail-envelope-from'."
> (or (if (eq mail-envelope-from 'header)
> (nth 1 (mail-extract-address-components
> (save-restriction
> (save-excursion
> (goto-char (point-max))
> (re-search-backward
> (concat "^" (regexp-quote mail-header-separator) "\n")
> nil t)
> (narrow-to-region (point-min) (point))
> (mail-fetch-field "From")))))
> mail-envelope-from)
> user-mail-address))
This one is better (I had forgotten about mail-header-end)
(require 'sendmail)
(defun mail-envelope-from ()
"Return the envelope mail address to use when sending mail.
This function uses `mail-envelope-from'."
(or (if (eq mail-envelope-from 'header)
(let ((from-field (save-restriction
(narrow-to-region (point-min) (mail-header-end))
(mail-fetch-field "From"))))
(when from-field
(nth 1 (mail-extract-address-components from-field))))
mail-envelope-from)
user-mail-address))
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Thu, 06 May 2021 10:24:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 47616 <at> debbugs.gnu.org (full text, mbox):
Francesco Potortì <pot <at> gnu.org> writes:
> Hardening mail-envelope-from from sendmail.el by narrowing to the
> headers, as the doc says, corrects the problem that I observed.
Thanks -- I don't think we should change mail-envelope-from itself here,
because it may conceivably be called from other contexts. Instead the
callers in sendmail/smtpmail should be altered to narrow to the headers
before calling it, and I've now done this in Emacs 28. (This uncovered
a similar bug in smtpmail.el, too.)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Thu, 06 May 2021 10:24:02 GMT)
Full text and
rfc822 format available.
bug marked as fixed in version 28.1, send any further explanations to
47616 <at> debbugs.gnu.org and Francesco Potortì <pot <at> gnu.org>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Thu, 06 May 2021 10:24:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Thu, 06 May 2021 12:17:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 47616 <at> debbugs.gnu.org (full text, mbox):
>Francesco Potortì <pot <at> gnu.org> writes:
>> Hardening mail-envelope-from from sendmail.el by narrowing to the
>> headers, as the doc says, corrects the problem that I observed.
>
>Thanks -- I don't think we should change mail-envelope-from itself here,
>because it may conceivably be called from other contexts. Instead the
>callers in sendmail/smtpmail should be altered to narrow to the headers
>before calling it, and I've now done this in Emacs 28. (This uncovered
>a similar bug in smtpmail.el, too.)
That makes sense, in principle. I would argue for adding a comment to
mail-envelope-from stating that since it calls mail-fetch-field it
should be called only after narrowing to the headers. Or maybe even
adding a note in the doc string, as done in mail-fetch-field.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Fri, 07 May 2021 11:18:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 47616 <at> debbugs.gnu.org (full text, mbox):
Francesco Potortì <pot <at> gnu.org> writes:
> That makes sense, in principle. I would argue for adding a comment to
> mail-envelope-from stating that since it calls mail-fetch-field it
> should be called only after narrowing to the headers. Or maybe even
> adding a note in the doc string, as done in mail-fetch-field.
Good idea. I've now mentioned this in the doc string in Emacs 28.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Fri, 07 May 2021 11:34:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 47616 <at> debbugs.gnu.org (full text, mbox):
> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Date: Fri, 07 May 2021 13:17:27 +0200
> Cc: 47616 <at> debbugs.gnu.org
>
> Francesco Potortì <pot <at> gnu.org> writes:
>
> > That makes sense, in principle. I would argue for adding a comment to
> > mail-envelope-from stating that since it calls mail-fetch-field it
> > should be called only after narrowing to the headers. Or maybe even
> > adding a note in the doc string, as done in mail-fetch-field.
>
> Good idea. I've now mentioned this in the doc string in Emacs 28.
Did you forget to push?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#47616; Package
emacs.
(Fri, 07 May 2021 12:10:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 47616 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii <eliz <at> gnu.org> writes:
> Did you forget to push?
Yup.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 05 Jun 2021 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 325 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.