Bug 358785 - When forwarding a email as message/rfc822 attachment in a signed unencrypted email, header filtering leads to invalid signatures
Summary: When forwarding a email as message/rfc822 attachment in a signed unencrypted ...
Status: REPORTED
Alias: None
Product: kmail2
Classification: Applications
Component: composer (show other bugs)
Version: 4.14.7
Platform: Gentoo Packages Linux
: NOR wishlist
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-30 17:26 UTC by trempify
Modified: 2016-01-30 17:35 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description trempify 2016-01-30 17:26:00 UTC
I forwarded an email as a message/rfc822 attachment. The forwarded e-mail contained headers such as "X-Spam-Score" and some intermediate server filtered these out, despite them being part of the message rather than in the headers of the email I was sending. Because the headers of the forwarded message are included in the multipart/signed PGP signature, the signature is now invalid.

This isn't a bug in KMail as such, but KMail could be set up to work around it (which is why I have marked this bug report as a feature request).

Possible workarounds which could be done by KMail:
* Strip all but standard headers (e.g. Sender, From etc) when forwarding emails as message/rfc822
* Encode message/rfc822 attachments using base64 (or possibly abuse quoted-printable by quoting the header lines even when they do not need to be quoted)

Reproducible: Always
Comment 1 trempify 2016-01-30 17:29:30 UTC
A third possible workaround: don't sign the forwarded message, or include it in a separate multipart/signed part so that at least it is obvious that the forwarded message has been modified but the text written by me is intact.
Comment 2 trempify 2016-01-30 17:35:17 UTC
I would say my preferred solution is to strip all but a whitelist of headers from the forwarded message: the typical 'non-technical' user will not realise they are there and may inadvertently leak information through them. Someone who knows and cares about forwarding headers will still be able to 'View Source' and copy-paste the text (after mangling it so it will not be filtered).