changeset: 6567:ad94dd58966b user: Michael Elkins <m...@sigpipe.org> date: Thu Mar 10 14:59:24 2016 -0800 link: http://dev.mutt.org/hg/mutt/rev/ad94dd58966b
Restrict mailto header fields using mailto_allow. By default, only the body and subject fields are allowed. These can be changed with the mailto_allow and unmailto_allow commands. changeset: 6568:b5f170446e14 user: Kevin McCarthy <ke...@8t8.us> date: Thu Mar 10 15:52:14 2016 -0800 link: http://dev.mutt.org/hg/mutt/rev/b5f170446e14 Improve the mailto_allow documentation. Add to the commands list. Document unmailto_allow. Mention the new behavior in the Security Considerations section about mailto: links. diffs (212 lines): diff -r b46ee6523400 -r b5f170446e14 doc/manual.xml.head --- a/doc/manual.xml.head Thu Mar 10 14:20:57 2016 -0800 +++ b/doc/manual.xml.head Thu Mar 10 15:52:14 2016 -0800 @@ -4703,6 +4703,47 @@ </sect1> +<sect1 id="mailto-allow"> +<title>Control allowed header fields in a mailto: URL</title> + +<para>Usage:</para> + +<cmdsynopsis> +<command>mailto_allow</command> +<group choice="req"> +<arg choice="plain"> +<replaceable class="parameter">*</replaceable> +</arg> +<arg choice="plain" rep="repeat"> +<replaceable class="parameter">header-field</replaceable> +</arg> +</group> + +<command>unmailto_allow</command> +<group choice="req"> +<arg choice="plain"> +<replaceable class="parameter">*</replaceable> +</arg> +<arg choice="plain" rep="repeat"> +<replaceable class="parameter">header-field</replaceable> +</arg> +</group> +</cmdsynopsis> + +<para> +As a security measure, Mutt will only add user-approved header fields from a +<literal>mailto:</literal> URL. This is necessary since Mutt will handle +certain header fields, such as <literal>Attach:</literal>, in a special way. +The <literal>mailto_allow</literal> and <literal>unmailto_allow</literal> +commands allow the user to modify the list of approved headers. +</para> +<para> +Mutt initializes the default list to contain only the <literal>Subject</literal> +and <literal>Body</literal> header fields, which are the only requirement specified +by the <literal>mailto:</literal> specification in RFC2368. +</para> +</sect1> + </chapter> <chapter id="advancedusage"> @@ -8134,6 +8175,14 @@ on screen carefully enough. </para> +<para> +To prevent these issues, Mutt by default only accepts the +<literal>Subject</literal> and <literal>Body</literal> headers. +Allowed headers can be adjusted with the +<link linkend="mailto-allow"><command>mailto_allow</command></link> and +<link linkend="mailto-allow"><command>unmailto_allow</command></link> commands. +</para> + </sect2> </sect1> @@ -8916,6 +8965,30 @@ <listitem> <cmdsynopsis> +<command><link linkend="mailto-allow">mailto_allow</link></command> +<group choice="req"> +<arg choice="plain"> +<replaceable class="parameter">*</replaceable> +</arg> +<arg choice="plain" rep="repeat"> +<replaceable class="parameter">header-field</replaceable> +</arg> +</group> + +<command><link linkend="mailto-allow">unmailto_allow</link></command> +<group choice="req"> +<arg choice="plain"> +<replaceable class="parameter">*</replaceable> +</arg> +<arg choice="plain" rep="repeat"> +<replaceable class="parameter">header-field</replaceable> +</arg> +</group> +</cmdsynopsis> +</listitem> + +<listitem> +<cmdsynopsis> <command><link linkend="mbox-hook">mbox-hook</link></command> <arg choice="plain"> <replaceable class="parameter">[!]regexp</replaceable> diff -r b46ee6523400 -r b5f170446e14 doc/muttrc.man.head --- a/doc/muttrc.man.head Thu Mar 10 14:20:57 2016 -0800 +++ b/doc/muttrc.man.head Thu Mar 10 15:52:14 2016 -0800 @@ -413,6 +413,16 @@ This command will remove all hooks of a given type, or all hooks when \(lq\fB*\fP\(rq is used as an argument. \fIhook-type\fP can be any of the \fB-hook\fP commands documented above. +.PP +.nf +\fBmailto_allow\fP \fIheader-field\fP [ ... ] +\fBunmailto_allow\fP [ \fB*\fP | \fIheader-field\fP ... ] +.fi +.IP +These commands allow the user to modify the list of allowed header +fields in a \fImailto:\fP URL that Mutt will include in the +the generated message. By default the list contains only +\fBsubject\fP and \fBbody\fP, as specified by RFC2368. .SH PATTERNS .PP In various places with mutt, including some of the above mentioned diff -r b46ee6523400 -r b5f170446e14 globals.h --- a/globals.h Thu Mar 10 14:20:57 2016 -0800 +++ b/globals.h Thu Mar 10 15:52:14 2016 -0800 @@ -164,6 +164,7 @@ WHERE LIST *InlineExclude INITVAL(0); WHERE LIST *HeaderOrderList INITVAL(0); WHERE LIST *Ignore INITVAL(0); +WHERE LIST *MailtoAllow INITVAL(0); WHERE LIST *MimeLookupList INITVAL(0); WHERE LIST *UnIgnore INITVAL(0); diff -r b46ee6523400 -r b5f170446e14 init.c --- a/init.c Thu Mar 10 14:20:57 2016 -0800 +++ b/init.c Thu Mar 10 15:52:14 2016 -0800 @@ -3085,6 +3085,15 @@ mutt_init_history (); + /* RFC2368, "4. Unsafe headers" + * The creator of a mailto URL cannot expect the resolver of a URL to + * understand more than the "subject" and "body" headers. Clients that + * resolve mailto URLs into mail messages should be able to correctly + * create RFC 822-compliant mail messages using the "subject" and "body" + * headers. + */ + add_to_list(&MailtoAllow, "body"); + add_to_list(&MailtoAllow, "subject"); diff -r b46ee6523400 -r b5f170446e14 init.h --- a/init.h Thu Mar 10 14:20:57 2016 -0800 +++ b/init.h Thu Mar 10 15:52:14 2016 -0800 @@ -3723,6 +3723,8 @@ { "macro", mutt_parse_macro, 0 }, { "mailboxes", mutt_parse_mailboxes, M_MAILBOXES }, { "unmailboxes", mutt_parse_mailboxes, M_UNMAILBOXES }, + { "mailto_allow", parse_list, UL &MailtoAllow }, + { "unmailto_allow", parse_unlist, UL &MailtoAllow }, { "message-hook", mutt_parse_hook, M_MESSAGEHOOK }, { "mbox-hook", mutt_parse_hook, M_MBOXHOOK }, { "mime_lookup", parse_list, UL &MimeLookupList }, diff -r b46ee6523400 -r b5f170446e14 url.c --- a/url.c Thu Mar 10 14:20:57 2016 -0800 +++ b/url.c Thu Mar 10 15:52:14 2016 -0800 @@ -283,21 +283,35 @@ if (url_pct_decode (value) < 0) goto out; - if (!ascii_strcasecmp (tag, "body")) + /* Determine if this header field is on the allowed list. Since Mutt + * interprets some header fields specially (such as + * "Attach: ~/.gnupg/secring.gpg"), care must be taken to ensure that + * only safe fields are allowed. + * + * RFC2368, "4. Unsafe headers" + * The user agent interpreting a mailto URL SHOULD choose not to create + * a message if any of the headers are considered dangerous; it may also + * choose to create a message with only a subset of the headers given in + * the URL. + */ + if (mutt_matches_ignore(tag, MailtoAllow)) { - if (body) - mutt_str_replace (body, value); - } - else - { - char *scratch; - size_t taglen = mutt_strlen (tag); - - safe_asprintf (&scratch, "%s: %s", tag, value); - scratch[taglen] = 0; /* overwrite the colon as mutt_parse_rfc822_line expects */ - value = skip_email_wsp(&scratch[taglen + 1]); - mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last); - FREE (&scratch); + if (!ascii_strcasecmp (tag, "body")) + { + if (body) + mutt_str_replace (body, value); + } + else + { + char *scratch; + size_t taglen = mutt_strlen (tag); + + safe_asprintf (&scratch, "%s: %s", tag, value); + scratch[taglen] = 0; /* overwrite the colon as mutt_parse_rfc822_line expects */ + value = skip_email_wsp(&scratch[taglen + 1]); + mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last); + FREE (&scratch); + } } }
