Hi Albrecht: On 01/24/2019 01:49:17 PM Thu, Albrecht Dreß wrote:
Hi all, I noticed that if a HTML message contains both attached (“cid:…”) and external (“http://…”, “https://…”, …) image links, Balsa loads /all/ images, both the attached *and* the external ones. The reason: whenever an attached image is referenced, Balsa enables Webkit's auto-load feature. The info bar for selecting whether the external images shall be loaded appears briefly and is then removed automatically. This behaviour should be considered as security bug, as it allows an attacker to enable on not only trivial attacks against the user's privacy like web bugs, but also work around the EFail protection. Unfortunately, I didn't find a way to selectively load images (anyone knows a trick to achieve it?); whenever webkit_settings_set_auto_load_images() is set to TRUE, Webkit will load /all/ of them, not calling the "decide-policy" callback. Thus, the only fix I found (attached) is to completely disable loading images in this case, i.e. the auto-load is enabled iff attached, but no external ones have been detected. The drawback is that the attached images are also shown only if the user activates images. Additionally, since version 2.20, the 'web-process-crashed' signal is deprecated and has been replaced by 'web-process-terminated', with a slightly different callback signature, which is also addressed in the patch. Opinions?
Thanks for spotting the risk! The patch looks good to me… The patch has been committed to master and pushed to GitLab. The 'remove-app-menu' branch has also been rebased to include the same patch. Best, Peter
Attachment:
pgpHNfIQ8tCNI.pgp
Description: PGP signature