[PATCH 15/20] cli/reply: ensure encrypted Subject: line does not leak in the clear

Subject: [PATCH 15/20] cli/reply: ensure encrypted Subject: line does not leak in the clear

Date: Fri, 11 May 2018 01:55:39 -0400

To: Notmuch Mail

Cc:

From: Daniel Kahn Gillmor

Now that we can decrypt headers, we want to make sure that clients
using "notmuch reply" to prepare a reply don't leak cleartext in their
subject lines.  In particular, the ["reply-headers"]["Subject"] should
by default show the external Subject.
---
 test/T356-protected-headers.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh
index 67d2e0cb..687681ff 100755
--- a/test/T356-protected-headers.sh
+++ b/test/T356-protected-headers.sh
@@ -78,4 +78,11 @@ output=$(notmuch show --verify --format=json id:signed-protected-header@crypto.n
 test_json_nodes <<<"$output" \
                 'crypto:[0][0][0]["crypto"]={"signed": {"status": [{"created": 1525350527, "fingerprint": "5AEAB11F5E33DCE875DDB75B6D92612D94E46381", "status": "good"}], "headers": ["Subject"]}}'
 
+test_begin_subtest "protected subject does not leak by default in replies"
+output=$(notmuch reply --decrypt=true --format=json id:protected-header@crypto.notmuchmail.org)
+test_json_nodes <<<"$output" \
+                'crypto:["original"]["crypto"]={"decrypted": {"status": "full", "masked-headers": {"Subject": "encrypted message"}}}' \
+                'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
+                'reply-subject:["reply-headers"]["Subject"]="Re: encrypted message"'
+
 test_done
-- 
2.17.0

_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

• Previous message (by thread): Re: Protected headers in notmuch

Thread:

• Daniel Kahn Gillmor—Protected headers in notmuch [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 01/20] test: new test framework to compare json parts [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 01/20] test: new test framework to compare json parts [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 01/20] test: new test framework to compare json parts [inbox, signed, unread]
        • David Bremner—Re: [PATCH 01/20] test: new test framework to compare json parts [inbox, unread]
          • Daniel Kahn Gillmor—Re: [PATCH 01/20] test: new test framework to compare json parts [inbox, unread]
        • Tomi Ollila—Re: [PATCH 01/20] test: new test framework to compare json parts [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 02/20] crypto: Avoid pretending to verify signatures on unsigned encrypted mail [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 03/20] cli/show: pass the siglist directly to the sigstatus sprinter [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 04/20] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 04/20] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 04/20] util/crypto: _notmuch_message_crypto: tracks message-wide crypto state [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 05/20] cli: expose message-wide crypto status from mime-node [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 06/20] mime-node: track whole-message crypto state while walking the tree [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 06/20] mime-node: track whole-message crypto state while walking the tree [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 07/20] cli/show: emit new whole-message crypto status output [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 07/20] cli/show: emit new whole-message crypto status output [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 07/20] cli/show: emit new whole-message crypto status output [inbox, signed, unread]
        • David Bremner—Re: [PATCH 07/20] cli/show: emit new whole-message crypto status output [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 08/20] cli/show: emit headers after emitting body [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 08/20] cli/show: emit headers after emitting body [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 09/20] util/crypto: add information about the payload part [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 09/20] util/crypto: add information about the payload part [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 09/20] util/crypto: add information about the payload part [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 10/20] cli/show: add tests for viewing protected headers [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 10/20] cli/show: add tests for viewing protected headers [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 10/20] cli/show: add tests for viewing protected headers [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 11/20] cli/show: emit payload subject instead of outside subject [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 11/20] cli/show: emit payload subject instead of outside subject [inbox, unread]
      • Daniel Kahn Gillmor—Re: [PATCH 11/20] cli/show: emit payload subject instead of outside subject [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 12/20] cli/show: add information about which headers were protected [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 12/20] cli/show: add information about which headers were protected [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 13/20] test: add test for missing external subject [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 14/20] test: show cryptographic envelope information for signed mails [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 14/20] test: show cryptographic envelope information for signed mails [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 15/20] cli/reply: ensure encrypted Subject: line does not leak in the clear [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 16/20] cli: introduce flags for format_headers_sprinter [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 17/20] cli/reply: add --protected-subject boolean flag [inbox, notmuch::obsolete, notmuch::patch, unread]
    • David Bremner—Re: [PATCH 17/20] cli/reply: add --protected-subject boolean flag [inbox, unread]
  • Daniel Kahn Gillmor—[PATCH 18/20] indexing: record protected subject when indexing cleartext [inbox, notmuch::obsolete, notmuch::patch, unread]
    • Jameson Graef Rollins—Re: [PATCH 18/20] indexing: record protected subject when indexing cleartext [inbox, signed, unread]
  • Daniel Kahn Gillmor—[PATCH 19/20] test: protected headers should work when both encrypted and signed. [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Daniel Kahn Gillmor—[PATCH 20/20] test: after reindexing, only legitimate protected subjects are searchable [inbox, notmuch::obsolete, notmuch::patch, unread]
  • Jameson Graef Rollins—Re: Protected headers in notmuch [inbox, signed, unread]
    • David Bremner—Re: Protected headers in notmuch [inbox, unread]
      • Daniel Kahn Gillmor—Re: Protected headers in notmuch [inbox, signed, unread]
      • David Bremner—Re: Protected headers in notmuch [inbox, unread]
    • Jameson Graef Rollins—Re: Protected headers in notmuch [inbox, signed, unread]
  • David Bremner—Re: Protected headers in notmuch [inbox, unread]