diff --git a/test/T356-protected-headers.sh b/test/T356-protected-headers.sh index cbed3781..746c4760 100755 --- a/test/T356-protected-headers.sh +++ b/test/T356-protected-headers.sh @@ -99,6 +99,13 @@ output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.or test_json_nodes <<<"$output" \ 'subject:[0]["subject"]="This is a protected header"' +test_begin_subtest "indexed protected subject is not visible in reply header" +test_subtest_known_broken +output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org') +test_json_nodes <<<"$output" \ + 'subject:["original"]["headers"]["Subject"]="This is a protected header"' \ + 'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"' + test_begin_subtest "verify correct protected header when submessage exists" output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org) test_json_nodes <<<"$output" \ diff --git a/test/T358-emacs-protected-headers.sh b/test/T358-emacs-protected-headers.sh index a631223e..765511d4 100755 --- a/test/T358-emacs-protected-headers.sh +++ b/test/T358-emacs-protected-headers.sh @@ -51,6 +51,29 @@ This is the sekrit message EOF test_expect_equal_file EXPECTED OUTPUT +# notmuch-emacs still leaks the subject line; as long as it leaks the +# subject line, it should emit the external subject, not the protected +# subject, even if it knows what the true subject is: +test_begin_subtest "Reply within emacs to a message with protected headers, not leaking subject" +test_emacs "(let ((message-hidden-headers '())) + (notmuch-show \"id:protected-header@crypto.notmuchmail.org\") + (notmuch-show-reply) + (test-output))" +cat <EXPECTED +From: Notmuch Test Suite +To: test_suite@notmuchmail.org +Subject: Re: Subject Unavailable +In-Reply-To: +Fcc: ${MAIL_DIR}/sent +References: +--text follows this line-- +<#secure method=pgpmime mode=signencrypt> +test_suite@notmuchmail.org writes: + +> This is the sekrit message +EOF +test_expect_equal_file EXPECTED OUTPUT + # protected headers should behave differently after re-indexing test_begin_subtest 'defaulting to indexing cleartext' test_expect_success 'notmuch config set index.decrypt true' @@ -67,4 +90,26 @@ End of search results. EOF test_expect_equal_file EXPECTED OUTPUT +# notmuch-emacs still leaks the subject line: +test_begin_subtest "don't leak protected subject during reply, even if indexed" +test_subtest_known_broken +test_emacs "(let ((message-hidden-headers '())) + (notmuch-show \"id:protected-header@crypto.notmuchmail.org\") + (notmuch-show-reply) + (test-output))" +cat <EXPECTED +From: Notmuch Test Suite +To: test_suite@notmuchmail.org +Subject: Re: Subject Unavailable +In-Reply-To: +Fcc: ${MAIL_DIR}/sent +References: +--text follows this line-- +<#secure method=pgpmime mode=signencrypt> +test_suite@notmuchmail.org writes: + +> This is the sekrit message +EOF +test_expect_equal_file EXPECTED OUTPUT + test_done