Kmail is by default in Plain text mode, the HTML part of any message does now show on the mail view. But, if I click on the reply button, while opening the reply composer (in plain text mode only) I can see that /usr/bin/kontact is creating a network call to the original mail's signature image. That means something in between is loading/rendering the email. I am not sure if can be exploited by any means. But, sounds scary :) STEPS TO REPRODUCE 0. Have Wireshark running 1. Receive an email with a remote image in signature 2. Click on reply button 3. Check in the wireshark for an outgoing network connection to that image OBSERVED RESULT Kontact creates a new network connection. EXPECTED RESULT Kontact should not try to load any image. SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: Fedora 32 KDE Plasma (available in About System) KDE Plasma Version: 5.18.5 KDE Frameworks Version: 5.70.0 Qt Version: 5.13.2 ADDITIONAL INFORMATION
Created attachment 129349 [details] Screenshot of message
Kushal and I just confirmed this: he sent me a mixed plain / HTML message, which I read in plain-text mode -- see screenshot, there's not even an indication in the plain text that there is an <img> in there. I hit reply -- plain text reply -- and there is a GET on the server hosting that image. This seems to happen only once in an "akonadi session". I need to `akonadictl stop ; sleep 3 ; akonadictl start` and then the next time I reply -- plain text reply -- to the message, the image is GETted again.
How I test this: - start kmail, ^N for new composer, write email to someone. In the composer, enable "rich text", and write some innocuous text: "Here's a picture of a cat". - Then in the rich text toolbar, click "insert html" and insert this: ``` <img src="http://example.com/example.png" width=1 height=1 /> <img src="http://192.168.0.1/css/rd/logos/logo_fritzDiamond.png" width=1 height=1 /> ``` - click insert (to close the dialog) and send the message. - close kmail and stop akonadi (`akonadictl stop`) At this point, the message is in my sent-mail folder. That's convenient, since I can reply to it from there, I don't even need to receive the message. - `akonadictl start` - start kmail - switch to sent-mail folder - select the message that was just sent. it views in plain text, and shows obvious links in the plain-text view. - start wireshark - hit "r" to reply to the message At this point, in wireshark I can see an HTTP get to example.com (it returns a 404) **and** tcp transmissions to 192.168.0.1 .. which doesn't live in my network, so it takes a while to time out. During this time, KMail seems unresponsive.
I will investigate it
We need to render it as we need to extract body and header. but indeed when we reply as plaintext we need to do it as in template we can force reply as HTML so we need to have theses infos too.
(In reply to Laurent Montel from comment #5) > We need to render it as we need to extract body and header. > but indeed when we reply as plaintext we need to do it as in template we can > force reply as HTML so we need to have theses infos too. Is there anyway to disable this? As this breaks the user privacy which we hope in plain text mode.
(In reply to Kushal Das from comment #6) > (In reply to Laurent Montel from comment #5) > > We need to render it as we need to extract body and header. > > but indeed when we reply as plaintext we need to do it as in template we can > > force reply as HTML so we need to have theses infos too. > > Is there anyway to disable this? As this breaks the user privacy which we > hope in plain text mode. I continue to investigate if we can disable it.
(In reply to Laurent Montel from comment #7) > (In reply to Kushal Das from comment #6) > > (In reply to Laurent Montel from comment #5) > > > We need to render it as we need to extract body and header. > > > but indeed when we reply as plaintext we need to do it as in template we can > > > force reply as HTML so we need to have theses infos too. > > > > Is there anyway to disable this? As this breaks the user privacy which we > > hope in plain text mode. > > I continue to investigate if we can disable it. Hey Laurent, any update on this investigation?