On Sat, Apr 03, 2010 at 11:39:01AM -0700, Michael Elkins wrote:
While reading this bug report http://dev.mutt.org/trac/ticket/3400 about lack of documentation for the mailto: support, and reading the current security warning about use of mailto:, I came to the conclusion that the current method is insecure. This patch adds two new commands: mailto_allow header-field [...] unmailto_allow [ * | header-field ... ] which control a whitelist of allowed header fields that Mutt will process from a mailto: URL. By default only "subject" and "body" are on the list, as specified by RFC2368.
updated to work with the patch in bug #3441. me
# HG changeset patch # User Michael Elkins <me@xxxxxxxx> # Date 1281370900 25200 # Branch HEAD # Node ID e71bc0d5914fdb63e4bab4f7b227c2b31b7ec59c # Parent 5dca5158b4962d63b3b3ab11248bb737af49a84f add whitelist/blacklist for header fields in mailto: urls diff --git a/doc/manual.xml.head b/doc/manual.xml.head --- a/doc/manual.xml.head +++ b/doc/manual.xml.head @@ -4620,6 +4620,37 @@ </sect1> +<sect1 id="mailto-allow"> +<title>Control allowed header fields in a mailto: URL</title> + +<para>Usage:</para> + +<cmdsynopsis> +<command>mailto_allow</command> +<group choice="req"> +<arg choice="plain"> +<replaceable class="parameter">*</replaceable> +</arg> +<arg choice="plain" rep="repeat"> +<replaceable class="parameter">header-field</replaceable> +</arg> +</group> +</cmdsynopsis> + +<para> +As a security measure, Mutt will only add user-approved header fields from a +<literal>mailto:</literal> URL. This is necessary since Mutt will handle +certain header fields, such as <literal>Attach:</literal>, in a special way. +The <literal>mailto_allow</literal> and <literal>unmailto_allow</literal> +commands allow the user to modify the list of approved headers. +</para> +<para> +Mutt initializes the default list to contain only the <literal>Subject</literal> +and <literal>body</literal> header fields, which are the only requirement specified +by the <literal>mailto:</literal> specification in RFC2368. +</para> +</sect1> + </chapter> <chapter id="advancedusage"> diff --git a/doc/muttrc.man.head b/doc/muttrc.man.head --- a/doc/muttrc.man.head +++ b/doc/muttrc.man.head @@ -399,6 +399,16 @@ This command will remove all hooks of a given type, or all hooks when \(lq\fB*\fP\(rq is used as an argument. \fIhook-type\fP can be any of the \fB-hook\fP commands documented above. +.PP +.nf +\fBmailto_allow\fP \fIheader-field\fP [ ... ] +\fBunmailto_allow\fP [ \fB*\fP | \fIheader-field\fP ... ] +.fi +.IP +These commands allow the user to modify the list of allowed header +fields in a \fImailto:\fP URL that Mutt will include in the +the generated message. By default the list contains only +\fBsubject\fP and \fBbody\fP, as specified by RFC2368. .SH PATTERNS .PP In various places with mutt, including some of the above mentioned diff --git a/globals.h b/globals.h --- a/globals.h +++ b/globals.h @@ -159,6 +159,7 @@ WHERE LIST *InlineExclude INITVAL(0); WHERE LIST *HeaderOrderList INITVAL(0); WHERE LIST *Ignore INITVAL(0); +WHERE LIST *MailtoAllow INITVAL(0); WHERE LIST *MimeLookupList INITVAL(0); WHERE LIST *UnIgnore INITVAL(0); diff --git a/init.c b/init.c --- a/init.c +++ b/init.c @@ -3052,6 +3052,15 @@ mutt_init_history (); + /* RFC2368, "4. Unsafe headers" + * The creator of a mailto URL cannot expect the resolver of a URL to + * understand more than the "subject" and "body" headers. Clients that + * resolve mailto URLs into mail messages should be able to correctly + * create RFC 822-compliant mail messages using the "subject" and "body" + * headers. + */ + add_to_list(&MailtoAllow, "body"); + add_to_list(&MailtoAllow, "subject"); diff --git a/init.h b/init.h --- a/init.h +++ b/init.h @@ -3486,6 +3486,8 @@ { "macro", mutt_parse_macro, 0 }, { "mailboxes", mutt_parse_mailboxes, M_MAILBOXES }, { "unmailboxes", mutt_parse_mailboxes, M_UNMAILBOXES }, + { "mailto_allow", parse_list, UL &MailtoAllow }, + { "unmailto_allow", parse_unlist, UL &MailtoAllow }, { "message-hook", mutt_parse_hook, M_MESSAGEHOOK }, { "mbox-hook", mutt_parse_hook, M_MBOXHOOK }, { "mime_lookup", parse_list, UL &MimeLookupList }, diff --git a/url.c b/url.c --- a/url.c +++ b/url.c @@ -283,20 +283,34 @@ if (url_pct_decode (value) < 0) goto out; - if (!ascii_strcasecmp (tag, "body")) + /* Determine if this header field is on the allowed list. Since Mutt + * interprets some header fields specially (such as + * "Attach: ~/.gnupg/secring.gpg"), care must be taken to ensure that + * only safe fields are allowed. + * + * RFC2368, "4. Unsafe headers" + * The user agent interpreting a mailto URL SHOULD choose not to create + * a message if any of the headers are considered dangerous; it may also + * choose to create a message with only a subset of the headers given in + * the URL. + */ + if (mutt_matches_ignore(tag, MailtoAllow)) { - if (body) - mutt_str_replace (body, value); - } - else - { - char *scratch = mutt_sprintf ("%s: %s", tag, value); - size_t taglen = mutt_strlen (tag); - scratch[taglen] = 0; /* overwrite the colon as mutt_parse_rfc822_line expects */ - value = &scratch[taglen + 1]; - SKIPWS (value); - mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last); - FREE (&scratch); + if (!ascii_strcasecmp (tag, "body")) + { + if (body) + mutt_str_replace (body, value); + } + else + { + char *scratch = mutt_sprintf ("%s: %s", tag, value); + size_t taglen = mutt_strlen (tag); + scratch[taglen] = 0; /* overwrite the colon as mutt_parse_rfc822_line expects */ + value = &scratch[taglen + 1]; + SKIPWS (value); + mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last); + FREE (&scratch); + } } }
Attachment:
pgpXMYPCHxdCE.pgp
Description: PGP signature