Bug 290783

Summary: KMail uses invalid sender when using "edit message" at a message not sent by me.
Product: [Applications] kmail2 Reporter: Ingo Stierand <stierand>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: arthur
Priority: NOR    
Version: 4.9.1   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Ingo Stierand 2012-01-06 10:27:39 UTC
Version:           4.7 (using KDE 4.7.4) 
OS:                Linux

I wanted to get the recepients of an existing email to create a new message. The original mail wasn't sent by me. The easiest way to get this was to use the "edit message" action. Doing so I got the composer, edited the message (including modifications of the recepient list, and the subject line) and sent the 'new' message. But surprisingly the 'new' message got the old sender in the 'from' field of the original message. 

I consider this as a bug. However, it is at least a security issue when I can fake a sender with a nice user-level GUI app.

Reproducible: Always

Steps to Reproduce:
1. Take a message you haven't sent but received.
2. Use 'T' to edit the message (or via menu 'Message-Edit').
3. Edit the message.
4. Send the message.

Actual Results:  
Looking at the source code of the newly created message you will find the sender of the original message in the from field.

Expected Results:  
The 'from' field of any message sent by me should always contain a valid mail-address that matches one of my identities.

OS: Linux (i686) release 3.1.0-1.2-desktop
Compiler: gcc
Comment 1 zless 2012-09-16 17:10:31 UTC
I confirm the situation with kmail2 in KDE 4.9.1.
Comment 2 Myriam Schweingruber 2012-09-17 09:40:08 UTC
Thank you for the feedback.
Comment 3 Denis Kurz 2016-09-24 18:09:43 UTC
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present?

If noone confirms this bug for a Framework-based version of kmail2 (version 5.0 or later, as part of KDE Applications 15.12 or later), it gets closed in about three months.
Comment 4 Denis Kurz 2017-01-07 21:29:29 UTC
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.