Bug 289339

Summary:	Sending mail with BCC recipients sends the BCC header to all recipients
Product:	[Applications] kmail2	Reporter:	John Zaitseff <j.zaitseff>
Component:	general	Assignee:	kdepim bugs <kdepim-bugs>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	montel
Priority:	NOR
Version:	4.7
Target Milestone:	---
Platform:	Ubuntu
OS:	Linux
Latest Commit:		Version Fixed In:	4.7.4
Sentry Crash Report:

Description John Zaitseff 2011-12-19 09:18:30 UTC

Version:           4.7 (using KDE 4.7.3) 
OS:                Linux

Sending an e-mail in KMail 4.7.4 (and possibly in earlier versions) with BCC recipients sends an e-mail with the BCC header included to all recipients.  This is quite a bad breach of privacy, as it allows all recipients (including BCC and non-BCC recipients) to see who was on the BCC list!


Reproducible: Always

Steps to Reproduce:
1. Create a new e-mail (New Message).
2. Set the To field to, say, test1@example.com, and the BCC field to, say, test2@example.com (real e-mail addresses should be used).
3. Send the e-mail.
4. Read the e-mail sent to either test1@example.com or test2@example.com.


Actual Results:  
The BCC field is part of the e-mail sent to both test1@example.com and test2@example.com.

Expected Results:  
The BCC field should NEVER be sent as part of an e-mail, although it SHOULD be stored in the locally-saved version in the sent-mail folder.


The "Steps to Reproduce" were performed on both my normal account (which has been using KDE for a number of major releases), as well as a test account which was completely fresh: no .kde/.local/.config directories.

I suspect the bug might be in akonadi_maildispatcher_agent, but that is just a wild guess...

Comment 1 John Zaitseff 2011-12-19 09:21:27 UTC

I believe this bug should have high priority as it is a major breach of privacy.

Comment 2 Laurent Montel 2011-12-19 11:41:59 UTC

Fixed in 4.7.4/master

Comment 3 John Zaitseff 2011-12-19 11:49:10 UTC

Actually, it has NOT been fixed: I'm running the Ubuntu PPA packages for KDE 4.7.4, and the bug is present in that version.  Am I missing something?

Comment 4 Laurent Montel 2011-12-19 11:53:52 UTC

I look at in 4.7 branch:

So it's ok.

  Q_ASSERT( item.hasPayload<Message::Ptr>() );
  const Message::Ptr message = item.payload<Message::Ptr>();
  if( message->hasHeader( "Bcc" ) ) {
    message->removeHeader( "Bcc" );
    message->assemble();
  }

So we can close it

Comment 5 John Zaitseff 2011-12-19 11:58:00 UTC

As I've mentioned, I'm running that code, but it doesn't seem to be working.  Could you possibly try reproducing the bug on your end (ie, send a quick e-mail to yourself and, say, me as BCC, and see if the BCC header is removed.  It may be that the code you've quoted isn't called for some reason.

Comment 6 Laurent Montel 2011-12-19 12:10:23 UTC

Tested and it's ok here.
Do you use smtp or akonadi dummy transport ?

Comment 7 John Zaitseff 2011-12-19 12:17:47 UTC

You are right: the test e-mail you sent me did NOT have a Bcc header.  But you are also using KMail 4.8 beta 2 :-)  Does this mean I have to wait for the next release of KDE?

I use SMTP as the outgoing account.

Comment 8 Laurent Montel 2011-12-19 12:24:07 UTC

4.7.4 uses same code.
So for me perhaps there is a pb in source code from 4.7.4 from kubuntu.
Regards

Comment 9 John Zaitseff 2011-12-19 12:40:11 UTC

I've just downloaded the kdepim/kdepimlibs 4.7.4 source code in Ubuntu ("apt-get source kdepim" and "apt-get source kdepimlibs").  A quick recursive grep reveals NO code uses 'hasHeader( "Bcc" )'.  Am I looking in the right place?

Comment 10 Laurent Montel 2011-12-19 12:44:20 UTC

kdepim-runtime

Comment 11 John Zaitseff 2011-12-19 12:50:45 UTC

Nope, kdepim-runtime does not have the appropriate haveHeader() or removeHeader() lines either.  Could you give me a hint as to which source file I should be looking at?

Although the Debian/Ubuntu changelog states they are using 4.7.4, I'm wondering whether they are, in fact, doing so.  I think I'll file a bug with Ubuntu...

Comment 12 Laurent Montel 2011-12-19 12:55:06 UTC

kdepim-runtime/agents/maildispatcher$ git branch 
  4.6
  4.7
* KDE/4.7
  master

=>void SendJob::Private::doTraditionalTransport()
{
  const TransportAttribute *transportAttribute = item.attribute<TransportAttribute>();
  TransportJob *job = TransportManager::self()->createTransportJob( transportAttribute->transportId() );

  Q_ASSERT( job );
  Q_ASSERT( currentJob == 0 );

  currentJob = job;

  // Message.
  Q_ASSERT( item.hasPayload<Message::Ptr>() );
  const Message::Ptr message = item.payload<Message::Ptr>();
  if( message->hasHeader( "Bcc" ) ) {
    message->removeHeader( "Bcc" );
    message->assemble();
  }

Comment 13 Laurent Montel 2011-12-19 12:58:31 UTC

Ok I download source from kde ftp
and it's not in source.
It's in branch but not in 4.7.4 tag... too bad...

Perhaps you can ask to ubuntu to update branch.
I can't make more. It's in 4.7 branch.
Now distro must update branch (I still continue to backport fix to 4.7 branch but it's right it will not have a 4.7.5...)

Comment 14 John Zaitseff 2011-12-19 13:01:35 UTC

Thanks for your help.  I'll try to post a bug to Ubuntu asking them to do that.

Comment 15 Christophe Marin 2011-12-25 13:20:46 UTC


*** This bug has been marked as a duplicate of bug 263587 ***