| Summary | Remote images are loaded when they should be blocked |
| Queue | IMP |
| Queue Version | FRAMEWORK_5_2 |
| Type | Bug |
| State | Unconfirmed |
| Priority | 2. Medium |
| Owners | |
| Requester | wahnes (at) uni-koeln (dot) de |
| Created | 10/12/2022 (945 days ago) |
| Due | |
| Updated | 10/12/2022 (945 days ago) |
| Assigned | |
| Resolved | |
| Milestone | |
| Patch | Yes |
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ Remote images are loaded when they should be blocked
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ Yes
New Attachment: imp-block-loading-of-remote-images-via-picture-source-srcset.patch
an HTML email, unless the user requests that remote images be loaded.
Blocking of remote image loading happens primarily when there is HTML
code such as "<img src='http://www.example.com/picture.jpg'>" inside
the HTML message.
In a recent report about a Horde vulnerability, which was focused on
another problem, it was also mentioned that this feature of blocking
remote image loading can easily be circumvented by using more
elaborate HTML code. As detailed at
<https://blog.sonarsource.com/horde-webmail-rce-via-email/>, remote
images are in fact loaded when using a HTML constuct that looks like
this: "<picture><source srcset='...'></picture>".
To verify this, I set up a test HTML email that uses this "<picture>"
trick. The image referenced in the HTML mail is indeed fetched from
the remote server when this email is opened in Imp, even if the
setting to block the loading of remote images is in place. If you
like, I can share this test email with you.
The attached patch tries to fix this flaw by applying a similar
blocking pattern to HTML "source" elements as is already applied to
"img" elements. This code may need some more polishing to meet Horde's
standards, but it does solve this issue when opening the test email.
Note that this issue may not only have privacy implications, but in
special cases may also have security implications, as outlined in the
blog post.