429393 – HTML email "leaks" styles into headers

Bug 429393 - HTML email "leaks" styles into headers

Summary: HTML email "leaks" styles into headers

Status:	RESOLVED DUPLICATE of bug 371656

Alias:	None

Product:	kmail2
Classification:	Applications
Component:	general (show other bugs)
Version:	5.15.1
Platform:	Ubuntu Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-11-20 13:02 UTC by Thomas Tanghus
Modified:	2022-01-01 10:22 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Plain (23.95 KB, image/png) 2020-11-20 13:03 UTC, Thomas Tanghus	Details
HTML (20.26 KB, image/png) 2020-11-20 13:03 UTC, Thomas Tanghus	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Tanghus 2020-11-20 13:02:21 UTC

SUMMARY
When you view an HTML email sometimes the styles - CSS? - is also changing the header

STEPS TO REPRODUCE
1. Set KMail to use standard headers (Fancy headers also fails)
2. Add Toggle HTML Mode to toolbar (can't find other ways to do it?)
3. View an (some) HTML emails, toggle to HTML mode on each.
4. Watch & Judge

OBSERVED RESULT
The headers changes style

EXPECTED RESULT
The headers should remain the same.

SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.10
KDE Plasma Version: 5.19.5
KDE Frameworks Version: 5.74.0
Qt Version: 5.14.2
Kernel Version: 5.8.0-30-generic
OS Type: 64-bit

ADDITIONAL INFORMATION

Comment 1 Thomas Tanghus 2020-11-20 13:03:16 UTC

Created attachment 133497 [details]
Plain

Comment 2 Thomas Tanghus 2020-11-20 13:03:52 UTC

Created attachment 133498 [details]
HTML

Comment 3 Jonathan Marten 2020-11-21 13:20:41 UTC

See also bug 317177 for fancy headers.

This is obviously a general problem where any conflicting CSS included in a HTML message body could leak out into the header display.  It may even be possible for a malicious message to hide or change header information, thus becoming a security risk.  This cannot be worked around by filtering styles used by the header out of the message CSS, because KMail cannot know what style elements the header may use - it may have been written by the user or downloaded.

Would it be possible to "sandbox" the message HTML isolated from the header - maybe within an iframe or similar element?

Comment 4 Laurent Montel 2020-11-22 09:09:08 UTC

could you send me it your email in private ?
Thanks

Comment 5 Thomas Tanghus 2020-11-22 09:29:05 UTC

(In reply to Laurent Montel from comment #4)
> could you send me it your email in private ?
> Thanks

I have tried to send it to you, but I'm not sure it actually got sent as KMail didn't give any notifications. Let me know if it hasn't arrived.

Comment 6 Laurent Montel 2020-11-22 10:53:24 UTC

I received it.
Thanks

Comment 7 Laurent Montel 2020-11-23 05:52:49 UTC

(In reply to Jonathan Marten from comment #3)
> See also bug 317177 for fancy headers.
> 
> This is obviously a general problem where any conflicting CSS included in a
> HTML message body could leak out into the header display.  It may even be
> possible for a malicious message to hide or change header information, thus
> becoming a security risk.  This cannot be worked around by filtering styles
> used by the header out of the message CSS, because KMail cannot know what
> style elements the header may use - it may have been written by the user or
> downloaded.
> 
> Would it be possible to "sandbox" the message HTML isolated from the header
> - maybe within an iframe or similar element?

Hi
iframe can be a good idea but we can't know what is the exact message height so we can have two scrollbar it's not good at the moment.
But isolate message must be a good idea.
I need to continue to investigate it.

Comment 8 Erik Quaeghebeur 2022-01-01 10:22:30 UTC


*** This bug has been marked as a duplicate of bug 371656 ***