kMail 5.8.1 seems to load external references in HTML emails without asking, possibly disclosing to a third party (company / spammer / scammer) that the mail has been displayed. I configured kMail to prefer plain text messages and not to load any external references. (The current Efail debate shows the validity of those measures.) After clicking "activate formatted HTML display", older kMail versions (until recently) would roughly format the message but display a second question "load external references" which had to be confirmed explicitly. If I click "activate formatted HTML display" in kMail 5.8.1, all external images for example seem to be loaded immediately, possibly disclosing information about validity / reachability of my email address to adverse third parties. Expected behaviour: If "load external references" is unchecked in the options, no external references (CSS styles, images, anything else) is loaded until I explicitly confirm that I actually want to do so. It's important that "render HTML" and "load external references" is split into two separate steps, as lots of HTML mails do not have any proper plain text content embedded, so I sometimes have to resort to the renderen HTML contents to even decide if the mail is legit (or I want to trust it fully) or not. This gets close to impossible if activating HTML rendering will automatically load all stuff it references from the internet, including activating counter pixels or submitting tracking ID information by specifically crafted HTTP GET requests. Additionally, externally referenced file types may be loaded which I really do not want to be downloaded like PDF or even some script or executable files.
"seems to load" or you have any evidence/test message or anything showing the issue you report ?
Created attachment 112809 [details] HTML mail from indeed.com Yes, every HTML mail with external image references I tested before opening this issue. See attached screenshot for one example. The segment with the logo image looks as follows: <td align="center" style="padding:0 0 25px;"> <a style="text-decoration:none;" href="http://www.indeed.com/?utm_source=jobseeker_emails&utm_medium=email&utm_campaign=tos"> <img src="http://tophat-cms-prod.s3.amazonaws.com/wp-content/uploads/2016/02/18221139/logo9.png" width="130" style="width:130px; font:bold 34px/38px HelveticaNeue, Helvetica, Arial, Roboto, Noto, sans-serif; color:#2164f3; vertical-align:top;" alt="Indeed" /> </a> </td> I only clicked the "activate HTML rendering", I did not confirm the loading of any external references.
Created attachment 112810 [details] kMail security configuration kMail configuration pane showing the disabled "external references" checkbox.
Created attachment 112813 [details] html email from indeed Can't reproduce locally, tcpdump also shows no traffic if the external references aren't loaded. Is the sender email address in your address book ?
That would be a very serious security issue obviously, but I can't reproduce this here either. Besides the global setting, there is a per-folder setting for this (Folder -> Load External References). Is that also switched off?
Mh, maybe I'm doing something stupid, but I still don't know what. Apparently, this does not happen in all folders, but it does happen in my Inbox folder. I didn't knowingly switch any setting, and it definitely worked in the past. Where can I find the per-folder setting? At a first glance, I could not find anything in right-click -> Properties?
It's in the main menu: Folder > Load External References
Created attachment 112823 [details] "Load external references" entry in "Folder" menu for folder in question This entry is disabled (greyed-out) for the folder in question, my inbox, but it's unselected in any case. See attached screenshot.
Addendum: This menu entry is in the same state (unchecked, but greyed-out) for the other folder in which external references are *not* loaded automatically. I cannot see any difference in the GUI between those two. Is there any other place or setting I should check? Is there any really stupid mistake or oversight I could have fallen victim to?
Created attachment 112825 [details] Message with which I can reproduce the behaviour. kMail will show the image referenced in the attached message file as soon as "render HTML content" is activated. None of the used mail addresses is contained in my address book. However, I also encountered HTML mails - in the same folder - for which I'm asked if I want to allow loading of external references. After confirming this once, it seems to be remembered by kMail for this message and I do not have to confirm it on subsequent displays.
One thing I noticed during testing this is that once you loaded external references for an email, the next display of HTML content without confirming loading external references can be served from the web engine cache, and neither show the external content warning nor perform any network access. Restarting KMail seemed to reset that here though.
(In reply to Volker Krause from comment #11) > One thing I noticed during testing this is that once you loaded external > references for an email, the next display of HTML content without confirming > loading external references can be served from the web engine cache, and > neither show the external content warning nor perform any network access. > Restarting KMail seemed to reset that here though. That's probably the same thing I referred to in: (comment #10 from Gunter Ohrner) > After confirming this once, it seems to be remembered by kMail for this > message and I do not have to confirm it on subsequent displays. However, with the example message I attached, I was never asked. The image was displayed immediately when opening the message for the first time and chosing "render HTML". I'll check if it does network access in this case, but I would not know where else it would get the image from.
(In reply to Gunter Ohrner from comment #12) > However, with the example message I attached, I was never asked. The image > was displayed immediately when opening the message for the first time and > chosing "render HTML". > > I'll check if it does network access in this case, but I would not know > where else it would get the image from. Today, kMail correctly asks if I really want to load external references if I try to open this mail. I don't really understand this, but looks as if I need to do some further research... :-/
Ok, it really gets somewhat strange now: * I got an HTML mail (again some GDPR notification from a company) and kMail rendered the externally referenced logo immediately after activating HTML rendering. * Afterwards I closed kMail, reopened it and reopened the mail again - now kMail correctly asked if external references shall really be displayed, as expected. I need to do further tests, but could it be possible that "something else" already accesses and fetches the image before the mail is actually displayed, such that the image is cached when kMail finally is asked to render it and an additional network access is not necessary any more? In this case the security issue would be somewhere else.
Did you load external references for another message in the same folder before reading this one ? OK, I can reproduce something weird with master: in folder X, I loaded external references for one email, then I switched to another html message and clicked on the sidebar to switch from plaintext to html and the external references were loaded. (The senders/company have nothing in common)
Tested different patterns: 1 html only + one multipart messages in one folder 2 multiparts in one folder 1 html only + one multipart messages in two folders 2 multipart messages in two folders I can reproduce with every test.
Possible fix: https://phabricator.kde.org/D13096
(In reply to Christophe Giboudeaux from comment #15) > Did you load external references for another message in the same folder > before reading this one ? > > OK, I can reproduce something weird with master: > > in folder X, I loaded external references for one email, then I switched to > another html message and clicked on the sidebar to switch from plaintext to > html and the external references were loaded. > > (The senders/company have nothing in common) Good catch! I was literally trying for hours to find a pattern. (Ok, most of the time got wasted while dealing with disk-full problems thanks to byzanz-record - to record a proof as GIF screencast - filling /tmp/ in no time by default... ;) I also can reproduce it using this pattern. Possibly it was what I was doing all the time. During my tests and using Wireshark I definitely saw kMail doing network accesses without any prior confirmation for the rendered email.
Git commit 9669e2622ee26ac748d64b567562889ad5f190ef by Volker Krause. Committed on 26/05/2018 at 08:38. Pushed by vkrause into branch 'Applications/18.04'. Ensure we always reset the external reference override Summary: So far there were apparently cases where this got stuck on enabled even when switching between emails. Reviewers: cgiboudeaux, knauss, mlaurent Reviewed By: knauss Subscribers: kde-pim Tags: #kde_pim Differential Revision: https://phabricator.kde.org/D13096 M +1 -0 messageviewer/src/viewer/viewer_p.cpp https://commits.kde.org/messagelib/9669e2622ee26ac748d64b567562889ad5f190ef
*** Bug 395448 has been marked as a duplicate of this bug. ***