On Mon, Feb 2, 2015 at 12:32 PM, Tomi Ollila <tomi.ollila@iki.fi> wrote: > On Mon, Feb 02 2015, Jinwoo Lee <jinwoo68@gmail.com> wrote: > >> It's default value is ".", meaning all remote images will be blocked >> by default. >> >> --- >> Addressed review comments. > > Ok, looks good to me. David can perhaps amend away the (accidental) > whitespace change in the last hunk ? Ah, sorry about that. I can revert if needed. > > Tomi > > >> --- >> emacs/notmuch-show.el | 27 +++++++++++++++++++-------- >> 1 file changed, 19 insertions(+), 8 deletions(-) >> >> diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el >> index 66350d4..5d939bb 100644 >> --- a/emacs/notmuch-show.el >> +++ b/emacs/notmuch-show.el >> @@ -136,6 +136,13 @@ indentation." >> :type 'boolean >> :group 'notmuch-show) >> >> +;; By default, block all external images to prevent privacy leaks and >> +;; potential attacks. >> +(defcustom notmuch-show-text/html-blocked-images "." >> + "Remote images that have URLs matching this regexp will be blocked." >> + :type '(choice (const nil) regexp) >> + :group 'notmuch-show) >> + >> (defvar notmuch-show-thread-id nil) >> (make-variable-buffer-local 'notmuch-show-thread-id) >> (put 'notmuch-show-thread-id 'permanent-local t) >> @@ -771,14 +778,21 @@ will return nil if the CID is unknown or cannot be retrieved." >> ;; It's easier to drive shr ourselves than to work around the >> ;; goofy things `mm-shr' does (like irreversibly taking over >> ;; content ID handling). >> - (notmuch-show--insert-part-text/html-shr msg part) >> + >> + ;; FIXME: If we block an image, offer a button to load external >> + ;; images. >> + (let ((shr-blocked-images notmuch-show-text/html-blocked-images)) >> + (notmuch-show--insert-part-text/html-shr msg part)) >> ;; Otherwise, let message-mode do the heavy lifting >> ;; >> ;; w3m sets up a keymap which "leaks" outside the invisible region >> ;; and causes strange effects in notmuch. We set >> ;; mm-inline-text-html-with-w3m-keymap to nil to tell w3m not to >> ;; set a keymap (so the normal notmuch-show-mode-map remains). >> - (let ((mm-inline-text-html-with-w3m-keymap nil)) >> + (let ((mm-inline-text-html-with-w3m-keymap nil) >> + ;; FIXME: If we block an image, offer a button to load external >> + ;; images. >> + (gnus-blocked-images notmuch-show-text/html-blocked-images)) >> (notmuch-show-insert-part-*/* msg part content-type nth depth button)))) >> >> ;; These functions are used by notmuch-show--insert-part-text/html-shr >> @@ -797,17 +811,14 @@ will return nil if the CID is unknown or cannot be retrieved." >> ;; shr strips the "cid:" part of URL, but doesn't >> ;; URL-decode it (see RFC 2392). >> (let ((cid (url-unhex-string url))) >> - (first (notmuch-show--get-cid-content cid))))) >> - ;; Block all external images to prevent privacy leaks and >> - ;; potential attacks. FIXME: If we block an image, offer a >> - ;; button to load external images. >> - (shr-blocked-images ".")) >> + (first (notmuch-show--get-cid-content cid)))))) >> (shr-insert-document dom) >> t)) >> >> (defun notmuch-show-insert-part-*/* (msg part content-type nth depth button) >> ;; This handler _must_ succeed - it is the handler of last resort. >> - (notmuch-mm-display-part-inline msg part content-type notmuch-show-process-crypto) >> + (notmuch-mm-display-part-inline msg part content-type >> + notmuch-show-process-crypto) >> t) >> >> ;; Functions for determining how to handle MIME parts. >> -- >> 2.2.2 >> >> _______________________________________________ >> notmuch mailing list >> notmuch@notmuchmail.org >> http://notmuchmail.org/mailman/listinfo/notmuch