Version: 4.7 (using KDE 4.7.3) OS: Linux Sending an e-mail in KMail 4.7.4 (and possibly in earlier versions) with BCC recipients sends an e-mail with the BCC header included to all recipients. This is quite a bad breach of privacy, as it allows all recipients (including BCC and non-BCC recipients) to see who was on the BCC list! Reproducible: Always Steps to Reproduce: 1. Create a new e-mail (New Message). 2. Set the To field to, say, test1@example.com, and the BCC field to, say, test2@example.com (real e-mail addresses should be used). 3. Send the e-mail. 4. Read the e-mail sent to either test1@example.com or test2@example.com. Actual Results: The BCC field is part of the e-mail sent to both test1@example.com and test2@example.com. Expected Results: The BCC field should NEVER be sent as part of an e-mail, although it SHOULD be stored in the locally-saved version in the sent-mail folder. The "Steps to Reproduce" were performed on both my normal account (which has been using KDE for a number of major releases), as well as a test account which was completely fresh: no .kde/.local/.config directories. I suspect the bug might be in akonadi_maildispatcher_agent, but that is just a wild guess...
I believe this bug should have high priority as it is a major breach of privacy.
Fixed in 4.7.4/master
Actually, it has NOT been fixed: I'm running the Ubuntu PPA packages for KDE 4.7.4, and the bug is present in that version. Am I missing something?
I look at in 4.7 branch: So it's ok. Q_ASSERT( item.hasPayload<Message::Ptr>() ); const Message::Ptr message = item.payload<Message::Ptr>(); if( message->hasHeader( "Bcc" ) ) { message->removeHeader( "Bcc" ); message->assemble(); } So we can close it
As I've mentioned, I'm running that code, but it doesn't seem to be working. Could you possibly try reproducing the bug on your end (ie, send a quick e-mail to yourself and, say, me as BCC, and see if the BCC header is removed. It may be that the code you've quoted isn't called for some reason.
Tested and it's ok here. Do you use smtp or akonadi dummy transport ?
You are right: the test e-mail you sent me did NOT have a Bcc header. But you are also using KMail 4.8 beta 2 :-) Does this mean I have to wait for the next release of KDE? I use SMTP as the outgoing account.
4.7.4 uses same code. So for me perhaps there is a pb in source code from 4.7.4 from kubuntu. Regards
I've just downloaded the kdepim/kdepimlibs 4.7.4 source code in Ubuntu ("apt-get source kdepim" and "apt-get source kdepimlibs"). A quick recursive grep reveals NO code uses 'hasHeader( "Bcc" )'. Am I looking in the right place?
kdepim-runtime
Nope, kdepim-runtime does not have the appropriate haveHeader() or removeHeader() lines either. Could you give me a hint as to which source file I should be looking at? Although the Debian/Ubuntu changelog states they are using 4.7.4, I'm wondering whether they are, in fact, doing so. I think I'll file a bug with Ubuntu...
kdepim-runtime/agents/maildispatcher$ git branch 4.6 4.7 * KDE/4.7 master =>void SendJob::Private::doTraditionalTransport() { const TransportAttribute *transportAttribute = item.attribute<TransportAttribute>(); TransportJob *job = TransportManager::self()->createTransportJob( transportAttribute->transportId() ); Q_ASSERT( job ); Q_ASSERT( currentJob == 0 ); currentJob = job; // Message. Q_ASSERT( item.hasPayload<Message::Ptr>() ); const Message::Ptr message = item.payload<Message::Ptr>(); if( message->hasHeader( "Bcc" ) ) { message->removeHeader( "Bcc" ); message->assemble(); }
Ok I download source from kde ftp and it's not in source. It's in branch but not in 4.7.4 tag... too bad... Perhaps you can ask to ubuntu to update branch. I can't make more. It's in 4.7 branch. Now distro must update branch (I still continue to backport fix to 4.7 branch but it's right it will not have a 4.7.5...)
Thanks for your help. I'll try to post a bug to Ubuntu asking them to do that.
*** This bug has been marked as a duplicate of bug 263587 ***