Avoid duplicate attachment display for attached OpenPGP encrypted message
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr91 fixed)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr91 | --- | fixed |
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr91+
|
Details |
If a received email has an attachment, which is an encrypted OpenPGP message, and display-attachments-inline is enabled, then we show a brief message header, but we don't show the message content (we don't decrypt it).
This is intended, because of the EFAIL attack scenarios.
To make this less confusing, the Enigmail code (which we reused) had used a trick, as can be seen here:
https://searchfox.org/comm-central/rev/d55e12934777fded86d5ad1e8bd6a6d3a8ac32b0/mail/extensions/openpgp/content/modules/mimeDecrypt.jsm#61
It creates an additional attachment, which contains information for the user.
The intention was, apparently, to explain why nothing is shown, and that the user must open the attachment to view it.
However, this additional attachment, as it is currently created, causes a very confusing display (in my opinion).
The message is shown as having two attachments. One, the original attached message. Second, the fake attachment that we show to provide information.
It is confusing to show two attachments.
Also, both attachments can be clicked and opened. And for both attachments we show the decrypted text. This is even more confusing.
I think we shouldn't show an additional attachment.
In a quick experiment, I changed this code to use content-type "text/plain" (not message/rfc822).
In my test, the information text was shown, but no additional attachment was shown.
I think this is an improvement
|
Assignee | |
Comment 1•3 years ago
|
||
Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/7edb1060255e
Avoid duplicate attachment display for attached OpenPGP encrypted message. r=mkmelin
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
This fix is necessary for the automated test in bug 1745019
|
|
Assignee | |
Comment 4•3 years ago
|
||
Comment on attachment 9258363 [details]
Bug 1749340 - Avoid duplicate attachment display for attached OpenPGP encrypted message. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: strange duplicate attachment listed, when there's really just one attached message
Testing completed (on c-c, etc.): Landed into c-c in january, so has gotten beta coverage already. Manually tested on esr91.
Risk to taking this patch (and alternatives if risky): Minor risk for side effects, but only when showing an attached openpgp message.
|
||
Comment 5•3 years ago
|
||
Comment on attachment 9258363 [details]
Bug 1749340 - Avoid duplicate attachment display for attached OpenPGP encrypted message. r=mkmelin
[Triage Comment]
Approved for esr91
|
||
Comment 6•3 years ago
|
||
| bugherder uplift | ||
Thunderbird 91.9.0:
https://hg.mozilla.org/releases/comm-esr91/rev/57272a0b4ea2
Description
•