Opened 12 months ago

Closed 2 months ago

Last modified 7 weeks ago

#22484 closed enhancement (fixed)

TB 52+ leaks installed dictionary

Reported by: Fleming Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TB 52 introduced a new header Content-Language with no option to turn it off.

Official changelog says about that:Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message.

Mentioned RFC warns us (Paragraph 4, Security considerations) that incorrect implementation would lead to a privacy leak, which truly happens. For example, you could forge name, timezone and IP to pretend to be a citizen of Iceland, but Content-Language header would leak Content-Language: ru-English, meaning the author rather comes from Eastern Europe.

What shall we do about that?

Child Tickets

Change History (9)

comment:1 Changed 12 months ago by arma

Is there a ticket for "there's no about:config setting for changing it" in the mozilla bugtracker?

comment:2 Changed 12 months ago by sukhbir

This is interesting. Have you been able to reproduce this bug? (I will try shortly but I thought I should ask you as well.)

comment:3 Changed 12 months ago by cypherpunks

That's not a bug, it a feature! If you receive an email (or reedit a draft), Thunderbird 52 uses the Content-Language header field to pick the right dictionary if installed.

On my machine it's reproducible, every email I send (except gpg emails) have the header field Content-Language: with the language option depending on the uses dictionary, eg. en-US.

Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit

comment:4 Changed 12 months ago by mcs

Cc: mcs added

comment:5 in reply to:  1 Changed 12 months ago by Fleming

Replying to arma:

Is there a ticket for "there's no about:config setting for changing it" in the mozilla bugtracker?

Found one here https://bugzilla.mozilla.org/show_bug.cgi?id=1370217

comment:6 Changed 2 months ago by sukhbir

Thanks for reporting! Fixed in 63fa6e5, at least in TorBirdy where we intercept and set the "Content-Language" header to "en-US" for all installations. I will also try to submit a patch for the upstream bug so that this is fixed in Thunderbird for all users.

comment:7 Changed 2 months ago by sukhbir

Resolution: fixed
Status: newclosed

comment:8 Changed 8 weeks ago by Fleming

@sukhbir, by God, please do submit a patch, since core Thunderbird devs still postpone, that’s why 38 ESR is still used on my end, which insert no such header. Precisely, idea is not to substitute used dictionary, but to make a preference in about:config that turns off Content-Language header at all, since presence of this header reveals Thunderbird is the very app used to send and receive mails.

Version 4, edited 8 weeks ago by Fleming (previous) (next) (diff)

comment:9 in reply to:  8 Changed 7 weeks ago by sukhbir

Replying to Fleming:

@sukhbir, by God, please do submit a patch, since core Thunderbird devs still postpone, that’s why 38 ESR is still used on my end, which inserts no such header. Precisely, idea is not to substitute used dictionary, but to make a preference in about:config that turns off Content-Language header AT ALL, since presence of this header reveals Thunderbird is the very app used to send and receive mails.

Yes I plan to submit a patch for this. Thanks for reporting!

Note: See TracTickets for help on using tickets.