Re: [Security Bug] Fix loading of HTML messages with inline and external images

Hi Albrecht:

On 01/24/2019 01:49:17 PM Thu, Albrecht Dreß wrote:
Hi all,

I noticed that if a HTML message contains both attached (“cid:…”) and external (“http://…”, “https://…”, …) 
image links, Balsa loads /all/ images, both the attached *and* the external ones.  The reason: whenever an 
attached image is referenced, Balsa enables Webkit's auto-load feature.  The info bar for selecting whether 
the external images shall be loaded appears briefly and is then removed automatically.

This behaviour should be considered as security bug, as it allows an attacker to enable on not only trivial 
attacks against the user's privacy like web bugs, but also work around the EFail protection.

Unfortunately, I didn't find a way to selectively load images (anyone knows a trick to achieve it?); whenever 
webkit_settings_set_auto_load_images() is set to TRUE, Webkit will load /all/ of them, not calling the 
"decide-policy" callback.  Thus, the only fix I found (attached) is to completely disable loading images in 
this case, i.e. the auto-load is enabled iff attached, but no external ones have been detected.  The drawback is that 
the attached images are also shown only if the user activates images.

Additionally, since version 2.20, the 'web-process-crashed' signal is deprecated and has been replaced by 
'web-process-terminated', with a slightly different callback signature, which is also addressed in the patch.


Thanks for spotting the risk! The patch looks good to me…

The patch has been committed to master and pushed to GitLab. The 'remove-app-menu' branch has also been 
rebased to include the same patch.



Attachment: pgpHNfIQ8tCNI.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]