495090 – External References Are Loaded In Spite Of Not Checking That Option

Bug 495090 - External References Are Loaded In Spite Of Not Checking That Option

Summary: External References Are Loaded In Spite Of Not Checking That Option

Status:	REOPENED

Alias:	None

Product:	kmail2
Classification:	Applications
Component:	general (show other bugs)
Version:	6.2.2
Platform:	Other Linux

Importance:	NOR major
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:	regression

Depends on:
Blocks:

Reported:	2024-10-20 13:52 UTC by Garry Williams
Modified:	2024-12-09 07:29 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Garry Williams 2024-10-20 13:52:13 UTC

SUMMARY
When HTML is displayed in a preview window, external references (images) are automatically loaded, too.  I have always unchecked both HTML and load external.

This is a regression.

STEPS TO REPRODUCE
1.  Uncheck "Allow messages to load external references from the Internet
2.  Click "HTML Message" on left-hand side.
3. 

OBSERVED RESULT
All external references are immediately loaded

EXPECTED RESULT
No references should ever be loaded unless explicitly asked for.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 40
KDE Plasma Version: 6.2.1
KDE Frameworks Version: 6.7.0
Qt Version: 6.7.2
Kernel Version: 6.11.3-200.fc40.x86_64 (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-8550U CPU @ 1.80GHz
Memory: 15.1 GiB of RAM
Graphics Processor: Mesa Intel® UHD Graphics 620
Manufacturer: Dell Inc.
Product Name: XPS 13 9370

ADDITIONAL INFORMATION

Comment 1 Alex Hermann 2024-10-21 10:50:08 UTC

I can confirm the bug.

To add to the confusion, at the top of the email, the following message is still displayed:

"Note: This HTML message may contain external references to images etc. For security/privacy reasons external references are not loaded. If you trust the sender of this message then you can load the external references for this message by clicking here."

This bug/regression is a major security and/or privacy risk.

KMail Version 6.2.2 (24.08.2)
KDE Frameworks Version 6.6.0
Qt Version 6.7.2 (built against 6.7.2)
(all from Debian packages)

Comment 2 Garry Williams 2024-10-24 00:53:58 UTC

I don't know what fixed it, but it's fixed.

Comment 3 Alex Hermann 2024-10-24 12:19:50 UTC

Yeah, weird. Without updating packages, after restarting kmail and akonadi the bug doesn't show (atm).

Comment 4 Alex Hermann 2024-11-01 15:09:20 UTC

I just experienced this bug again.

1) HTML message shown as raw html

2) Click:
> Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

3) HTML is shown formatted and external images are loaded
Also, the following message is shown, even though the external references are already loaded and displayed:
> Note: This HTML message may contain external references to images etc. For security/privacy reasons external references are not loaded. If you trust the sender of this message then you can load the external references for this message by clicking here.

Comment 5 Tim Schlotfeldt 2024-12-09 07:29:17 UTC

Same here.

I've just consciously noticed this behavior for the first time.


SOFTWARE/OS VERSIONS
Operating System: Arch Linux (x86_64)
Qt Version: 6.8.1
KDE Frameworks Version: 6.8.0
KMail Verision: 6.2.3 (24.08.3)
Graphics Platform: Wayland