Bug 441829 - Rendering of HTML can bleed over message headers
Summary: Rendering of HTML can bleed over message headers
Status: RESOLVED DUPLICATE of bug 371656
Alias: None
Product: kmail2
Classification: Applications
Component: general (show other bugs)
Version: 5.15.3
Platform: Debian stable Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-31 19:17 UTC by simon
Modified: 2022-01-01 10:10 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Rendering (51.12 KB, image/png)
2021-08-31 19:17 UTC, simon
Details
HTML - from phisher - be careful (25.39 KB, text/plain)
2021-08-31 19:22 UTC, simon
Details
mbox format spam (12.09 KB, application/mbox)
2021-09-01 12:35 UTC, simon
Details

Note You need to log in before you can comment on or make changes to this bug.
Description simon 2021-08-31 19:17:29 UTC
Created attachment 141198 [details]
Rendering

SUMMARY

STEPS TO REPRODUCE
1. Received spam email 
2. View in Kmail with HTML enabled.

OBSERVED RESULT

The spammer HTML is rendered bleeding over the message list component, this allows the scammer to fake information, as well as making their phishing attack more effective.

EXPECTED RESULT

The mail client will prevent the email content corrupting the display of message metadata, so that users can make informed choices, and are less likely to be fooled.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.20.5
KDE Frameworks Version: 5.78.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
Comment 1 simon 2021-08-31 19:22:50 UTC
Created attachment 141199 [details]
HTML - from phisher - be careful

Attaching the decoded HTML from the email. Although I wouldn't have thought it useful for fixing the issues, it might help reproduce the test case.
Comment 2 Laurent Montel 2021-09-01 06:18:22 UTC
Is it possible to save email as mbox and send me it (in private as you want).
Thanks
Comment 3 Jonathan Marten 2021-09-01 12:12:32 UTC
Duplicate of 429393?
Comment 4 simon 2021-09-01 12:35:46 UTC
Created attachment 141217 [details]
mbox format spam
Comment 5 simon 2021-09-01 12:43:04 UTC
Agree on duplicate of 429393, although the description there isn't clear that the HTML can alter the headers entirely that is only picked up on in the comments.
Comment 6 Erik Quaeghebeur 2022-01-01 10:10:50 UTC

*** This bug has been marked as a duplicate of bug 371656 ***