Opened 5 years ago

Closed 5 years ago

#6392 closed defect (fixed)

prevent leak of msg-id of original mail when forwarding a mail

Reported by: tagnaq Owned by: ioerror
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Keywords:
Cc: sukhbir.in@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When forwarding an email the mail header contains the msg-id of the original received email, this might be a problem to the forwarding person.

We should remove the following header fields in forwarded mails:

References:
In-Reply-To:
X-Forwarded-Message-Id:

There are two scenarios where this can happen:

  • user hits the Forward button
  • user hits the Reply button and replaces the recipients

btw: also the body contains parts of the original mail header (when hitting the Forward button) but this can easily be seen by the forwarding person and easily be modified/removed (we do not modify the body).

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by sukhbir

Cc: sukhbir.in@… added

Fixed in the latest commit.

comment:2 Changed 5 years ago by tagnaq

I'm wondering whether this was implemented for forwarded emails only or for all emails regardless of the send method (reply or forward).
This guess came up because you recently seem to break threats (msg-ids: 500777B4.7060309@…
5009B998.30904@…).

comment:3 in reply to:  2 ; Changed 5 years ago by sukhbir

Replying to tagnaq:

I'm wondering whether this was implemented for forwarded emails only or for all emails regardless of the send method (reply or forward).

This has been implemented for all emails, regardless of the send method (we do this when the message is sent, so how it is sent doesn't matter).

Please let me know off list which messages you are referring to so that I can check.

comment:4 in reply to:  3 ; Changed 5 years ago by tagnaq

Replying to sukhbir:

This has been implemented for all emails, regardless of the send method (we do this when the message is sent, so how it is sent doesn't matter).

OK so my guess is confirmed.

I'll refer to my email from 2012-07-15:

> Seems interesting, I didn't know:
> http://www.jwz.org/doc/threading.html ... so let's just remove it.

I wouldn't want to break threading - so simply removing it always is
not the way to go.
I think for now it would be enough to remove these headers when a user
forwards a message.
For later we can come up with additional scenarios (i.e. user hits
reply but removes the original sender from the recipient list).

comment:5 in reply to:  4 Changed 5 years ago by sukhbir

Replying to tagnaq:

OK so my guess is confirmed.

Uh oh, I missed that point.

Fixed in the latest commit.

comment:6 Changed 5 years ago by tagnaq

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.