[PATCH] emacs: add check for encryption before saving.

Subject: [PATCH] emacs: add check for encryption before saving.

Date: Fri, 4 Nov 2016 22:29:02 -0300

To: Mark Walters, notmuch@notmuchmail.org

Cc:

This is intended to decrease the chance of people ending up with a bunch
of plaintext drafts of encrypted messages without knowing it.

The check is intentionally overcautious; I think the false positive of
misplaced #secure tag is probably OK here.
---

This is somewhat RFC. The regex needs to be double checked, and the
variable name is not ideal. However it does solve reduce a worry I
have about this code saving drafts of sensitive messages in plaintext
that are effectively invisible because they are tagged deleted.

 emacs/notmuch-message.el | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/emacs/notmuch-message.el b/emacs/notmuch-message.el
index a503296..a2b079d 100644
--- a/emacs/notmuch-message.el
+++ b/emacs/notmuch-message.el
@@ -80,6 +80,12 @@ postponing and resuming a message."
   :type '(repeat string)
   :group 'notmuch-send)
 
+(defcustom notmuch-message-warn-encryption t
+  "Warn if the user postpones or saves a message with an mml encryption tag in it"
+  :type 'boolean
+  :group 'notmuch-send
+  :group 'notmuch-crypto)
+
 (defvar notmuch-message-draft-id nil
   "Message-id of the most recent saved draft of this message")
 (make-variable-buffer-local 'notmuch-message-draft-id)
@@ -140,6 +146,22 @@ Used when a new version is saved, or the message is sent."
       (when secure-tag
 	(insert secure-tag "\n")))))
 
+(defun notmuch-message-check-encryption ()
+  "Query user if there an mml tag that looks like it might indicate encryption.
+
+Returns t if there is no such tag, or the user confirms they mean
+it."
+  (save-excursion
+    (message-goto-body)
+      (or
+       ;; We fine if there is no secure tag, and no #part encryption
+       (not (re-search-forward "<#\\(part encrypt\\|secure.*mode=.*encrypt>\\)" nil 't))
+       ;; The user confirms they means it.
+       (yes-or-no-p "\
+This message contains mml tags that suggest it is intended to be encrypted.
+Really save and index an unencrypted copy?
+(Customize `notmuch-message-warn-encrypted' to avoid this warning)"))))
+
 (defun notmuch-message-save-draft ()
   "Save the current draft message in the notmuch database.
 
@@ -147,6 +169,9 @@ This saves the current message in the database with tags
 `notmuch-message-draft-tags` (in addition to any default tags
 applied to newly inserted messages)."
   (interactive)
+  (when (and notmuch-message-warn-encryption
+	     (not (notmuch-message-check-encryption))
+	     (error "Save aborted")))
   (let (;; We need the message id as we need it for tagging. Note
 	;; message-make-message-id gives the id inside a "<" ">" pair,
 	;; but notmuch doesn't want that form, so remove them.
-- 
2.10.1

Previous message (by thread): Re: [PATCH] emacs: add check for encryption before saving.

Thread:

Mark Walters—[PATCH v2 0/2] add postpone support [inbox, unread]
- Mark Walters—[PATCH v2 1/2] emacs: tree: remove binding for pressing button in message pane [inbox, notmuch::obsolete, notmuch::patch, notmuch::stale, unread]
  - David Bremner—Re: [PATCH v2 1/2] emacs: tree: remove binding for pressing button in message pane [inbox, unread]
- Mark Walters—[PATCH v2 2/2] emacs: postpone/resume support [inbox, notmuch::obsolete, notmuch::patch, unread]
  - David Bremner—[PATCH] emacs: add check for encryption before saving. [inbox, unread]
    - Mark Walters—Re: [PATCH] emacs: add check for encryption before saving. [inbox, unread]
      - David Bremner—Re: [PATCH] emacs: add check for encryption before saving. [inbox, unread]
        Mark Walters—Re: [PATCH] emacs: add check for encryption before saving. [inbox, unread]