test: avoid showing legacy-display parts

Enigmail generates a "legacy-display" part when it sends encrypted
mail with a protected Subject: header.  This part is intended to
display the Subject for mail user agents that are capable of
decryption, but do not know how to deal with embedded protected
headers.

This part is the first child of a two-part multipart/mixed
cryptographic payload within a cryptographic envelope that includes
encryption (that is, it is not just a cleartext signed message).  It
uses Content-Type: text/rfc822-headers.

That is:

A └┬╴multipart/encrypted
B  ├─╴application/pgp-encrypted
C  └┬╴application/octet-stream
*   ╤ <decryption>
D   └┬╴multipart/mixed; protected-headers=v1 (cryptographic payload)
E    ├─╴text/rfc822-headers; protected-headers=v1 (legacy-display part)
F    └─╴… (actual message body)

In discussions with jrollins, i've come to the conclusion that a
legacy-display part should be stripped entirely from "notmuch show"
and "notmuch reply" now that these tools can understand and interpret
protected headers.

You can tell when a message part is a protected header part this way:

 * is the payload (D) multipart/mixed with exactly two children?
 * is its first child (E) Content-Type: text/rfc822-headers?
 * does the first child (E) have the property protected-headers=v1?
 * do all the headers in the body of the first child (E) match
   the protected headers in the payload part (D) itself?

If this is the case, and we already know how to deal with the
protected header, then there is no reason to try to render the
legacy-display part itself for the user.

Furthermore, when indexing, if we are indexing properly, we should
avoid indexing the text in E as part of the message body.

'notmuch reply' is an interesting case: the standard use of 'notmuch
reply' will end up omitting all mention of protected Subject:.

The right fix is for the replying MUA to be able to protect its
headers, and for it to set them appropriately based on headers found
in the original message.

If a replying MUA is unable to protect headers, but still wants the
user to be able to see the original header, a replying MUA that
notices that the original message's subject differs from the proposed
reply subject may choose to include the original's subject in the
quoted/attributed text. (this would be a stopgap measure; it's not
even clear that there is user demand for it)

This test suite change indicates what we want to happen for this case
(the tests are currently broken), and includes three additional TODO
suggestions of subtle cases for anyone who wants to flesh out the test
suite even further.  (i believe all these cases should be already
fixed by the rest of this series, but haven't had time to write the
tests for the unusual cases)

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2019-08-29 11:38:48 -04:00 committed by David Bremner
parent 1b29822cf5
commit 27b25e45dc
2 changed files with 73 additions and 0 deletions

View file

@ -136,4 +136,37 @@ id:nested-rfc822-message@crypto.notmuchmail.org
id:protected-header@crypto.notmuchmail.org id:protected-header@crypto.notmuchmail.org
id:subjectless-protected-header@crypto.notmuchmail.org' id:subjectless-protected-header@crypto.notmuchmail.org'
test_begin_subtest "when rendering protected headers, avoid rendering legacy-display part"
test_subtest_known_broken
output=$(notmuch show --format=json id:protected-with-legacy-display@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
'subject:[0][0][0]["headers"]["Subject"]="Interrupting Cow"' \
'no_legacy_display:[0][0][0]["body"][0]["content"][1]["content-type"]="text/plain"'
test_begin_subtest "when replying, avoid rendering legacy-display part"
test_subtest_known_broken
output=$(notmuch reply --format=json id:protected-with-legacy-display@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \
'no_legacy_display:["original"]["body"][0]["content"][1]["content-type"]="text/plain"'
test_begin_subtest "do not treat legacy-display part as body when indexing"
test_subtest_known_broken
output=$(notmuch search --output=messages body:interrupting)
test_expect_equal "$output" ''
test_begin_subtest "identify message that had a legacy display part skipped during indexing"
test_subtest_known_broken
output=$(notmuch search --output=messages property:index.repaired=skip-protected-headers-legacy-display)
test_expect_equal "$output" id:protected-with-legacy-display@crypto.notmuchmail.org
# TODO: test that a part that looks like a legacy-display in
# multipart/signed, but not encrypted, is indexed and not stripped.
# TODO: test that a legacy-display in a decrypted subpart (not in the
# cryptographic payload) is indexed and not stripped.
# TODO: test that a legacy-display inside multiple MIME layers that
# include an encryption layer (e.g. multipart/encrypted around
# multipart/signed) is stripped and not indexed.
test_done test_done

View file

@ -0,0 +1,40 @@
From: test_suite@notmuchmail.org
To: test_suite@notmuchmail.org
Subject: Subject Unavailable
Date: Sat, 01 Jan 2000 12:00:00 +0000
Message-Id: <protected-with-legacy-display@crypto.notmuchmail.org>
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="=-=-=";
protocol="application/pgp-encrypted"
--=-=-=
Content-Type: application/pgp-encrypted
Version: 1
--=-=-=
Content-Type: application/octet-stream
-----BEGIN PGP MESSAGE-----
hIwDxE023q1UqxYBBACkgwtKOAP+UlKYDzYkZY+gDuMNKnHjWIvv2Cdnovy40QzL
5sbuib40y7orO+MqYMCWpoFtgBVsGiOUE3bZAg8n3Ji38/zVGwQveu6sh7SAy0Q9
zFEvLhtajw17nPe+QH2UmIyfVikA57Mot13THq4i6C4ozVCyhyIltx+sNJkmw9Lp
AdQd+cgCMRSMbi++eRwIi4zgxKrfAoGOmdMiVzBrh3yZqnbI0rCxJIKu7gEWuQLT
7BuvN2bJUkPGLAUhUanFararVoD7WWOl67IlWFkyncES0PRskUf9coV68WZnYjsR
Y3LdLnha1sdMwUNeBKQ44XBd2e7mXbDSp1cSjTDf9euwB4m7uQFTLwoQ8Of+LmQD
KMHzjmucbkNAIpfAjcDusTA/oaaqUiEgGIgYYMDqG1CaaxdT55S7tMjW5yJryQmo
pg65jrUMgEn5XHZ+KI2OsCmwGdoBYNau8p1a2hsiKhHJmLUeEAu34gFI3hylIOC0
0KC40d0zTSb0s7SZuTrD6vYgiXG9aFktHvAWFH0ATCts7qyiRN7k5jt7yWfRntE2
UCexTGE3TH7aju+IqDPC1XsaKF4T3CVhdr8WmKCa+0VOaw7xHRGYnzq9y91GcaCx
8AcoZ3kYs+f2LIn+T667A0KKP4Z6OmLjCx3b1RvRUQYR9taruEMAQbIuAajiyTe9
KfUrsUULZfInE50x+OneYvDhzoSgSJoHIK+18X/wo6YcyleJ9fZxCQ/vaXTDkAeF
ve7TFcbIqmJ4MHygXILHUuDwp7P4t/tIL7SZwja70P3digjsgoNZY29VTnU8uyIb
d6eOjgpeNVhRjDWxbUvhFD7i4rHCi/bbXFlW0cCXoiaVQBtYmiNysRoRZOv0h3TW
q/+/UmqkaQFnF3zp5sr87y+ValItgPWmb9Ds0lyAoSvQx35zVh8DFfH04m7hmsb7
gcvemlPTAnQWkIMC3c/bZWgt8tNcG7tQeUMWd9n4281y/hApbm90x2NLzEqvVcRq
K0iIgVxbCHSKqGh4TtbIwpNhzSP+KHYkZ8h6+QUDRwGEV9QqZKg=
=2O0V
-----END PGP MESSAGE-----
--=-=-=--