441829 – Rendering of HTML can bleed over message headers

Bug 441829 - Rendering of HTML can bleed over message headers

Summary: Rendering of HTML can bleed over message headers

Status:	RESOLVED DUPLICATE of bug 371656

Alias:	None

Product:	kmail2
Classification:	Applications
Component:	general (show other bugs)
Version:	5.15.3
Platform:	Debian stable Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-08-31 19:17 UTC by simon
Modified:	2022-01-01 10:10 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Rendering (51.12 KB, image/png) 2021-08-31 19:17 UTC, simon	Details
HTML - from phisher - be careful (25.39 KB, text/plain) 2021-08-31 19:22 UTC, simon	Details
mbox format spam (12.09 KB, application/mbox) 2021-09-01 12:35 UTC, simon	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description simon 2021-08-31 19:17:29 UTC

Created attachment 141198 [details]
Rendering

SUMMARY

STEPS TO REPRODUCE
1. Received spam email 
2. View in Kmail with HTML enabled.

OBSERVED RESULT

The spammer HTML is rendered bleeding over the message list component, this allows the scammer to fake information, as well as making their phishing attack more effective.

EXPECTED RESULT

The mail client will prevent the email content corrupting the display of message metadata, so that users can make informed choices, and are less likely to be fooled.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.20.5
KDE Frameworks Version: 5.78.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION

Comment 1 simon 2021-08-31 19:22:50 UTC

Created attachment 141199 [details]
HTML - from phisher - be careful

Attaching the decoded HTML from the email. Although I wouldn't have thought it useful for fixing the issues, it might help reproduce the test case.

Comment 2 Laurent Montel 2021-09-01 06:18:22 UTC

Is it possible to save email as mbox and send me it (in private as you want).
Thanks

Comment 3 Jonathan Marten 2021-09-01 12:12:32 UTC

Duplicate of 429393?

Comment 4 simon 2021-09-01 12:35:46 UTC

Created attachment 141217 [details]
mbox format spam

Comment 5 simon 2021-09-01 12:43:04 UTC

Agree on duplicate of 429393, although the description there isn't clear that the HTML can alter the headers entirely that is only picked up on in the comments.

Comment 6 Erik Quaeghebeur 2022-01-01 10:10:50 UTC


*** This bug has been marked as a duplicate of bug 371656 ***