Re: [Evolution] evolution doesn't seem to handle inlined content securely

[Andreas Wüst <awuest swissonline ch>]

Hi Jeffrey

Thanks a lot for your fast answer!!

On Thu, 2003-08-14 at 20:46, Jeffrey Stedfast wrote:

> On Thu, 2003-08-14 at 14:13, Andreas Wüst wrote:
> > Hi
> >
> > Am I right that evolution doesn't seem to do no better than outlook when
> > it comes to inlined data?
> >
> > If you get an email sporting a line like
> >
> >     <img src="cid:blablabla">
> >
> > and attached you get a file with a
> >
> >     Content-ID: blablabla
> >
> > string, evolution tries to to display this stuff inline, no?
>
> yes and no...
>
> > And since most of these attachements are virus today, the user is no
> > better off than an outlook user?!
> >
> > Please correct me, if this isn't so! But, e.g. what happens, when you
> > receive an email with an attachment blabla.scr, and the mime type is
> > audio/wav, an this file is inlined by the above tag, then evolution
> > tries to view (play) it (of course it's not a wav file, just look at the
> > file suffix, it's just some viral code)?
>
> well, since the attachment won't be able to load as an image file,
> nothing will happen. you'll get an iframe box or something with nothing
> in it.

Uhhm, yes, I just got the Header, and then nothing (or a small black
point). The mail consisted only of the iframe stuff (and the
attachement).

> > There is obviously no button which you could press to view the
> > attachement, since it's getting viewed inline. Is there any way to
> > prevent evolution from doing so?
>
> evolution will ONLY display stuff inline if it:
>
> 1. has a builtin handler (which is basically limited to image handlers
> and vcard/ical stuff - ie stuff that is "safe". as with all things, it's
> possible that the data may cause gtk's image loading code to crash or
> evo's addressbook/calendar control code to crash...)

Well, I guess it's not a that big problem it it crashes. As long as
there's no vulnerability in the image loading code, it's ok.

But, what happens if the attachement is of mime type image/jpeg and
there's not a jpeg in but a virus? Will evolution just fail to load the
image and let the user know by a requester, or will there just be a
blank space?

> 2. or if you:
>   a) have a bonobo control capable of handling the specified mime type
>
> and
>
>   b) configured your MIME-types & Applications control centre crapplet
> to use this bonobo control for viewing these types

Hmm, obviously seems to be the case.

> and
>
>   c) EXPLICTLY allow Evolution to use bonobo-controls of for this
> mime-type (which is only configurable via gconf - there is no UI for
> this so you have to be a bit of a hacker to find/set it in the first
> place)

Well, you never know what your friendly package maintainer does ;) Which
file of the gconf database should I check?

But there is still the question what happens if the player or viewer
gets called, but the file to view or play is not a correct file?

> So as far as I'm aware, Evolution is a LOT safer than Outlook in this
> reguard. If you find logic mistakes in our reasoning, please let us
> know.

No, there are no logic mistakes, but some minor steps to check
(vulnerability of viewer code, feedback to user if something was tried
to display but failed, ..). But I would still prefere a global option to
stop evolution displaying anything but text, or to turn off html
rendering at all (no, not the show email source option).

-- 
Sorry if I sound a bit picky, I just want to use a highly secure email
client (paired with a lot of comfort).

Best wishes,
Andi