aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>2019-05-26 18:16:02 -0400
committerDavid Bremner <david@tethera.net>2019-05-29 08:14:32 -0300
commitb7b553e732baed620f6688570829a4d46dd5f6e5 (patch)
tree112f27a336842ab9484d86d42e695cdd85dc0860
parent996ef5710cd5b9a5de6394018f21955a775f7511 (diff)
cli/reply: ensure encrypted Subject: line does not leak in the clear
Now that we can decrypt headers, we want to make sure that clients using "notmuch reply" to prepare a reply don't leak cleartext in their subject lines. In particular, the ["reply-headers"]["Subject"] should by default show the external Subject. A replying MUA that intends to protect the Subject line should show the user the Subject from ["original"]["headers"]["Subject"] instead of using ["reply-headers"]["Subject"]. This minor asymmetry with "notmuch show" is intentional. While both tools always render the cleartext subject line when they know it (in ["headers"]["Subject"] for "notmuch show" and in ["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch reply" should never leak something that should stay under encrypted cover in "reply-headers". Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-rwxr-xr-xtest/T356-protected-headers.sh7
1 files changed, 7 insertions, 0 deletions
diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index 62d7e210..ff37f6bd 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -76,4 +76,11 @@ output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.n
test_json_nodes <<<"$output" \
'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "'$FINGERPRINT'", "userid": "'"$SELF_USERID"'", "status": "good"}], "headers": ["Subject"]}}'
+test_begin_subtest "protected subject does not leak by default in replies"
+output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
+test_json_nodes <<<"$output" \
+ 'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "header-mask": {"Subject": "Subject Unavailable"}}}' \
+ 'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
+ 'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
+
test_done