Closed
Bug 934302
Opened 11 years ago
Closed 11 years ago
Images showing when remote content blocked
Categories
(Thunderbird :: Untriaged, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 322533
People
(Reporter: simon.rose, Unassigned)
Details
Attachments
(1 file)
(deleted),
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Steps to reproduce:
Loaded an email.
Actual results:
I received a spam email and normally Thunderbird blocks remote images. However in this email (and a lot of other emails), Thunderbird did not block the image.
Thunderbird said it had blocked remote content in this email, so this seems to be a bug? Also the URL they provided was hyperlinked.
I have attached the source code of the email in a text file. It may have references to a virus (being a spam email).
Expected results:
The image should not have shown.
Comment 1•11 years ago
|
||
I don't think this is security sensitive that needs to be hidden. At the worst this is a csec-disclosure which would allow the confirmation of email addresses.
There are two images in the email:
<img src=3D"cid:04b9048113da477f8c85f8717da0bb15" style=3D"border: 0" />
and
<img width=3D"1" src=3D"http://francis-downer.us/statf.php?m=3D....&mid=
=3D33022">
The first image would be displayed since it is contained inline in the message and is not remote.
The second image should be blocked however.
Simon, are you sure the remote image was not blocked? If you right click on the image, do you see Copy Link Location and is the link http://www.francis-downer.us/ ? Then that is inline image that would not be blocked.
The second image is only 1 pixel wide and might not be visible even if it were not displayed. If you have Wireshark or similar program installed you can figure out if there is an actual network request to fetch the image.
Group: core-security
Flags: needinfo?(simon.rose)
I did see only one image. So I'm guessing the other remote image was blocked. I just thought Thunderbird would block all images - didn't know about inline vs remote. And I'm guessing if it's inline - that doesn't present a security risk - otherwise Thunderbird would block it?
Flags: needinfo?(simon.rose)
Comment 3•11 years ago
|
||
Yeah, it is something I have wanted for a while. I'll dupe this against bug 322533.
Thanks for the report! Don't get discouraged about how this was resolved!
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•