The User-Agent: header can be fun and interesting, but it also leaks
quite a bit of information about the user and their software stack.
This represents a potential security risk (attackers can target the
particular stack) and also an anonymity risk (a user trying to
preserve their anonymity by sending mail from a non-associated account
might reveal quite a lot of information if their choice of mail user
agent is exposed).
This change also avoids hiding the User-Agent header by default, so
that people who decide they want to send it will at least see it (and
can edit it if they want to) before sending.
It makes sense to have safer defaults.
Many of the external links found in the notmuch source can be resolved
using https instead of http. This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
When composing messages (including replies, etc.), indicate to
`message-mode' definitively that the message is email (as opposed to
Usenet news) rather than having it attempt to determine this for itself.
This causes `message-mode' to observe such variables as
`message-default-mail-headers', which previously happened haphazardly.
Please put my address in CC when replying. Thanks!
From 4b9ab261a0ea8a31065e310c5150f522be86d37b Mon Sep 17 00:00:00 2001
From: stefan <aeuii@posteo.de>
Date: Fri, 8 Apr 2016 22:47:06 +0200
Subject: [PATCH] emacs: make use of `message-make-from'
Will respect `mail-from-style'.
Add a customizable function specifying which parts get a header when
replying, and give some sensible possiblities. These are,
1) all parts except multipart/*. (Subparts of a multipart part do
receive a header button.)
2) only included text/* parts.
3) Exactly as in the show buffer.
4) None at all. This means the reply contains a mish-mash of all the
original message's parts.
In the test suite we set the choice to option 4 to match the
previous behaviour.
Use the message display code to generate message text to cite in
replies.
For now we set insert-headers-p function to
notmuch-show-reply-insert-header-p-never so that, as before, we don't
insert part buttons.
With that choice of insert-headers-p function there is only one
failing test: this test has a text part (an email message) listed as
application/octet-stream. Notmuch show displays this part, but the
reply code omitted it as it had type application/octet-stream. The new
code correctly includes it. Thus update the expected output to match.
As pointed out by David Bremner, Elisp manual says "A common pitfall
is to use a quoted constant list as a non-last argument to ‘nconc’."
Since this was the case in recently added code, we fix it here.
notmuch-mua-mail ignored the switch-function argument and always used
the function returned by notmuch-mua-get-switch-function instead. In
order to support standard emacs interfaces (compose-mail in this
case), this commit changes notmuch-mua-mail to use the switch-function
argument if it is non-nil and notmuch-mua-get-switch-function
otherwise.
Commit 570c0aeb40 reworked
notmuch-mua-mail function in a way that worked only under Emacs 24.
The reason was that message-setup-1 took one argument less in Emacs
23.
We fix this by only supplying the return-action argument when it is
actually set by the caller.
Recent addition of notmuch-message-mode introduced several problems:
1. When message-setup-hook is used to set buffer local variables,
these settings are not effective, because all buffer local
variables are immediately erased by notmuch-message-mode
initialization.
2. message-mode-hook gets invoked twice - first when message-mail
invokes message-mode and second when notmuch-mua-mail invokes
notmuch-message-mode.
This commit fixes these problems by replacing a call to message-mail
with notmuch-specific code that is (hopefully) equivalent to
message-mail functionality before introduction of
notmuch-message-mode.
We first initialize notmuch-message-mode with
notmuch-mua-pop-to-buffer, which is a modified version of
message-pop-to-buffer and then call message-setup-1, which is the only
functionality of message-mail that is needed for notmuch.
Flyspell mode uses a special setting for message-mode to not
spell-check message headers except Subject. Apply this setting also to
notmuch-message-mode.
This allows e.g. Gnus users to load this file without changing
message-mode behaviour.
This will disable completion for those that did not customize the
variable but relied on the existence of a file named "notmuch-addresses"
in their path. In the next commit the default behaviour will change to
use a "workalike" internal completion mechanism.
Previously we globally modified these variables, which tended to cause
problems for people using message-mode, but not notmuch-mua-mail, to
send mail.
User visible changes:
- Calling notmuch-fcc-header-setup is no longer optional. OTOH, it
seems to do the right thing if notmuch-fcc-dirs is set to nil.
- The Fcc header is visible during message composition
- The name in the mode line is changed, and no longer matches exactly
the menu label.
- Previously notmuch-mua-send-and-exit was never called. Either we
misunderstood define-mail-user-agent, or it had a bug. So there was
no difference if the user called message-send-and-exit directly. Now
there will be.
- User bindings to C-c C-c and C-c C-s in message-mode-map are
overridden. The user can override them in notmuch-message-mode-map,
but then they're on their own for Fcc handling.
This is to provide a clean way of overriding e.g. keybindings when
sending mail from notmuch.
This is needed in particular to allow somewhere to dynamically bind
certain message-mode variables which are not respected when buffer-local. See e.g.
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21174
Now that we have `notmuch-emacs-version' defined in notmuch emacs MUA
use that as a part of User-Agent: header to provide more accurate
version information when sending emails.
In case some incomplete installation of notmuch emacs MUA is used and
`notmuch-emacs-version' is defined as "unknown" then fall back to ask
version info from cli (as it used to be before this commit).
Requiring notmuch-version[.elc] and if that is missing setting
"fallback" notmuch-emacs-version (to "unknown") was moved from
notmuch.el to notmuch-lib.el as notmuch-mua.el (which provides
User-Agent: information) require's the latter.
Make a new customizable variable instead of relying on
message-cite-function because the default for the latter changed
between emacs releases.
The defcustom is borrowed from the message.el source, with minor
modifications.
When the user begins forwarding a message, the resulting composition
buffer should not be marked as modified, in order that it can
immediately be killed without prompting.
It was decided that auto-signing is potentially too troublesome for the
apparently common case of users who enable crypto processing for the
purpose of checking signature validity but who are not in a position to
sign out-going messages. Users can still manually invoke signing as needed.
Encrypting replies to encrypted messages is more of a security issue
so we leave it in place.
This is a simple approach to improving security when replying to
signed or encrypted messages. If the message being replied to was
signed, add mml tag to sign the reply. If the message being replied to
was encrypted, add mml tag to sign and encrypt the reply.
This may need configuration; I for one might want to encrypt replies
to encrypted messages, but not always sign replies to signed messages.
This still includes a slight bug: if any mml tags are added, they are
included in the region containing the quoted parts. Killing the region
will kill the mml tags too.
We push mark on reply so user can cut the quote. Push the mark before
signature, if any, instead of end of buffer so the signature is
preserved.
This is consistent with message-kill-to-signature.
`notmuch-mua-prompt-for-sender' is over-engineered and often wrong.
It attempts to detect when all identities have the same name and
specialize the prompt to just the email address part. However, to do
this it uses `mail-extract-address-components', which is meant for
displaying email addresses, not general-purpose parsing, and hence
performs many canonicalizations that can interfere with this use. For
example, configuring notmuch-identities to ("Austin
<austin@example.com>"), will cause `notmuch-mua-prompt-for-sender' to
lose the name part entirely and return " <austin@example.com>".
This patch rewrites `notmuch-mua-prompt-for-sender' to simply prompt
for a full identity when notmuch-identities is configured, or to
prompt for a sender address when it isn't.
The original code also did several strange things, like using `eval'
and specifying that this function was interactive. As a side-effect,
this patch fixes these problems. And it adds a docstring.
Previously, we used `message-forward' to build forwarded messages, but
this function is simply too high-level to be a good fit for some of
what we do.
First, since `message-forward' builds a full forward message buffer
given the message to forward, we have to duplicate much of the logic
in `notmuch-mua-mail' to patch the notmuch-y things into the built
buffer.
Second, `message-forward' constructs the From header from
user-full-name and user-mail-address. As a result, if we prompt the
user for an identity, we have to parse it into name and address
components, just to have it put back together by `message-forward'.
This process is not entirely loss-less because
`mail-extract-address-components' does a lot of canonicalization
(since it's intended for displaying addresses, not for parsing them).
To fix these problems, don't use `message-forward' at all.
`message-forward' itself is basically just a call to `message-mail'
and `message-forward-make-body'. Do this ourselves, but call
`notmuch-mua-mail' instead of `message-mail' so we can directly build
a notmuch-y message and control the From header.
This also fixes a bug that was a direct consequence of our use of
`mail-extract-address-components': if the user chose an identity that
had no name part (or the name part matched the mailbox), we would bind
user-full-name to nil, which would cause an exception in the bowels of
message-mode because user-full-name is expected to always be a string
(even if it's just "").
In current emacs (24.3) select-active-regions is set to t by
default. The reply insertion code sets the region to the quoted
message to make it easy to delete (kill-region or C-w). These two
things combine to put the quoted message in the primary selection.
This is not what the user wanted and is a privacy risk (accidental
pasting of the quoted message). We can avoid some of the problems
by let-binding select-active-regions to nil. This fixes if the
primary selection was previously in a non-emacs window but not if
it was in an emacs window. To avoid the problem in the latter case
we deactivate mark.
One key test (which fails under many simpler "fixes") is: open emacs
24.3 with notmuch, open 2 windows (viewing different notmuch buffers),
highlight some text in one, and then reply to a message in the
other. In many of my earlier attempts to fix this big this test fails.
This improves the function documentation for many interactive
commands, either by improving their documentation string where the
improvement also makes sense for programmatic use or by adding a
'notmuch-doc property where it doesn't.
For nearly all commands that support a prefix argument, this adds a
'notmuch-prefix-doc property to document their prefixed behavior This
omits prefix documentation for a few commands where I thought the
prefixed behavior was too obscure (or too complex to fit in one line).
Like `notmuch-mua-new-forward-message', this is meant to be invoked
programmatically by something that can provide a reasonable query
string.
In fact, `notmuch-mua-new-reply's interactive specification didn't
match its arguments, so it wouldn't have worked interactively.
`notmuch-mua-new-forward-message' must be called from a buffer
containing a raw RFC2822-formatted message to forward. Hence, it's
intended to be invoked programmatically through something else that
sets up this buffer (like `notmuch-show-forward-message'), not
interactively.
Remove its interactive specification and update the documentation
string to mention the requirements on the current buffer.
When composing a reply, notmuch-mua-reply attempts to cite the
the original message by inserting it before the user signature, if
one is present. The existing method used to search the signature
separator backward from the end of the buffer and then move one
line up. In case of variable `message-signature-insert-empty-line'
being nil this caused point to go to the beginning of
'--text follows this line--'
separator line, and citation was inserted there.
This change checks the value of `message-signature-insert-empty-line'
and doesn't move point if that is nil. Additional narrowing to
the body region ensures that point never goes to the separator line
(or beyond).
`message-signature-setup-hook' or `message-setup-hook' may already have
added some other content to the message body, therefore using simply
(message-goto-body) to move point to the beginning of body might lead
to unexpected results.
Original patch from "Geoffrey H. Ferrari", continued with iterations
from Jani and Mark.
In reply, insert quotable parts using notmuch-show-insert-bodypart
instead of calling notmuch-mm-display-part-inline directly to render
the quoted parts as they are rendered in show view.
We use a temp buffer to not leak text properties from the show
renderer into the reply. This way we also don't need to worry about
narrowing or point placement. Credits to Mark Walters
<markwalters1009@gmail.com> and Austin Clements <amdragon@MIT.EDU> for
getting this part straight.
The notable change is that replies to text/calendar parts quote the
pretty printed output of icalendar-import-buffer rather than the ugly
raw vcalendar.
Notmuch cli provides all structured data previously provided
in json format now in s-expression format, rendering all current
json functionality obsolete.
This switches `notmuch-mua-reply' and `notmuch-query-get-threads' to
the S-exp format. These were the last two uses of the JSON format in
the Emacs frontend.
Sometimes, notmuch reply outputs something to stderr, for example:
"Failed to verify signed part: Cannot verify multipart/signed part:
unsupported signature protocol". When this happens, replying in emacs
fails, because emacs cannot parse the error message as JSON.
This patch causes emacs to ignore stderr when reading reply from
notmuch.
Introduce a new defcustom notmuch-mua-compose-in that allows users to
specify where new mails are composed, either in the current window or
in a new window or frame.
Signed-off-by: Jameson Rollins <jrollins@finestructure.net>
Quote non-text parts nicely by displaying them with mm-display-part
before calling message-cite-original to quote them. HTML-only emails
can now be quoted correctly. We re-use some code from notmuch-show
(notmuch-show-mm-display-part-inline), which has been moved to
notmuch-lib.el.
Mark the test for this feature as not broken.
In the new reply code, the References header gets inserted by
message.el using a function called message-shorten-references. Unlike
all the other header-inserting functions, it doesn't put a newline
after the header, causing the next header to end up on the same
line. In our case, this header happened to be User-Agent, so it's hard
to notice. This is probably a bug in message.el, but we need to work
around it.
This fixes the problem by wrapping message-shorten-references in a
function that inserts a newline after if necessary. This should
protect against the message.el bug being fixed in the future.
Bug 1: Replying from alternate addresses
----------------------------------------
The reply code was inconsistent in its use of symbols and strings for
header names being passed to message.el functions. This caused the
From header to be lookup up incorrectly, causing an additional From
header to be added with the user's primary address instead of the
correct alternate address.
This is fixed by using symbols everywhere, i.e. never using strings
for header names when interacting with message.el.
This change also removes our use of `mail-header`, since we don't use
it anywhere else, and using assq makes it clear how the header lists
are expected to work.
Bug 2: Duplicate headers in emacs 23.2
--------------------------------------
The message.el code in emacs 23.2 assumes that header names will
always be passed as symbols, so our use of strings caused
problems. The symptom was that on 23.2 (and presumably on earlier
versions) the reply message would end up with two of some headers.
Converting everything to symbols also fixes this issue.
Use the new JSON reply format to create replies in emacs. Quote HTML
parts nicely by using mm-display-part to turn them into displayable
text, then quoting them with message-cite-original. This is very
useful for users who regularly receive HTML-only email.
Use message-mode's message-cite-original function to create the
quoted body for reply messages. In order to make this act like the
existing notmuch defaults, you will need to set the following in
your emacs configuration:
message-citation-line-format "On %a, %d %b %Y, %f wrote:"
message-citation-line-function 'message-insert-formatted-citation-line
The tests have been updated to reflect the (ugly) emacs default.
The reply MML quoting added in commit ae438cc unintentionally MML
quotes also the signature/encryption MML tags added via
message-setup-hook, causing the reply not to be signed/encrypted.
MML quote just the original message in the temp buffer before
inserting it to the message buffer, to not interfere with message mode
hooks or message construction in general.
See [1] and [2] for bug reports.
Thanks to Tim Bielawa <tbielawa@redhat.com> for testing.
[1] id:"87hay78x6l.fsf@wyzanski.jamesvasile.com"
[2] id:"1330812262-28272-1-git-send-email-tbielawa@redhat.com".
Signed-off-by: Jani Nikula <jani@nikula.org>
As Aaron explains in id:"m2vco72tf3.fsf@wal122.wireless-pennnet.upenn.edu"
Using point-max would include the signature in the quoting as well.
It would probably be fairly odd to want to put an MML tag in one’s
signature, but that doesn’t mean that we should break that usage.
We had to use point-max in the 0.11.1 bug-fix release, because the
mark functionality was added post 0.11.