Hi all, Balsa's Webkit2 (USE_WEBKIT2 is defined) implementation is vulnerable to the EFail [1] attack, as it loads external content *without* user interaction for the cases H4, H5, H14, H15 and H17. The attached patch * completely disables Java and JavaScript, as it should always be considered harmful in emails; * completely disables loading external content without user confirmation.
I tested several legitimate HTML messages with embedded and external images; the patch doesn't change their behaviour. I.e. embedded images are displayed, and external content is loaded only after user confirmation. Please note that the patch addresses Webkit2 *only*. I didn't test the other html options, Balsa /may/ still be vulnerable if they are used. Additionally, there /may/ be other backchannels which could be used for an attack with Webkit2. The only really safe option is to disable HTML rendering completely. I also attach a test message (in mailbox format) which contains several HTML parts, each trying to exploit a different method for bypassing remote content blocking. All requests are directed to my personal web page, and I don't collect logs. To test it, just terminate all web applications, run tcpdump (or wireshark) for port 80, and open the message in Balsa or any other mail client… Best, Albrecht. [1] <https://efail.de/efail-attack-paper.pdf>
diff --git a/libbalsa/html.c b/libbalsa/html.c
index 0c2cbaec..19a30c0e 100644
--- a/libbalsa/html.c
+++ b/libbalsa/html.c
@@ -280,17 +280,11 @@ lbh_navigation_policy_decision(WebKitPolicyDecision * decision,
uri = webkit_uri_request_get_uri(request);
switch (navigation_type) {
- case WEBKIT_NAVIGATION_TYPE_OTHER:
- case WEBKIT_NAVIGATION_TYPE_RELOAD:
- d(g_print("%s uri %s, type %d, used\n", __func__, uri,
- navigation_type));
- webkit_policy_decision_use(decision);
- break;
case WEBKIT_NAVIGATION_TYPE_LINK_CLICKED:
d(g_print("%s clicked %s\n", __func__, uri));
(*info->clicked_cb) (uri);
default:
- d(g_print("%s type %d, ignored\n", __func__, navigation_type));
+ d(g_print("%s uri %s, type %d, ignored\n", __func__, uri, navigation_type));
webkit_policy_decision_ignore(decision);
}
}
@@ -628,6 +622,9 @@ libbalsa_html_new(LibBalsaMessageBody * body,
settings = webkit_web_view_get_settings(web_view);
webkit_settings_set_enable_plugins(settings, FALSE);
+ webkit_settings_set_enable_javascript(settings, FALSE);
+ webkit_settings_set_enable_java(settings, FALSE);
+ webkit_settings_set_enable_hyperlink_auditing(settings, TRUE);
webkit_settings_set_auto_load_images
(settings,
g_regex_match_simple(cid_regex, text, G_REGEX_CASELESS, 0));
<<attachment: EFail-Test.mbx.zip>>
pgp3pOKTTNtp6.pgp
Description: PGP signature
_______________________________________________ balsa-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/balsa-list
