Tickets :: Comment on [#15122] Remote images are loaded when they should be blocked

* Your Email Address
* Spam protection	Enter the letters below: . __..__.. ..___. \|(__ \| \|\|_/ \| \__\|.__)\|__\\| \ \|
Comment	> By default, Imp blocks the loading of images from a remote server in > an HTML email, unless the user requests that remote images be loaded. > Blocking of remote image loading happens primarily when there is HTML > code such as "<img src='http://www.example.com/picture.jpg'>" inside > the HTML message. > > In a recent report about a Horde vulnerability, which was focused on > another problem, it was also mentioned that this feature of blocking > remote image loading can easily be circumvented by using more > elaborate HTML code. As detailed at > <https://blog.sonarsource.com/horde-webmail-rce-via-email/>, remote > images are in fact loaded when using a HTML constuct that looks like > this: "<picture><source srcset='...'></picture>". > > To verify this, I set up a test HTML email that uses this "<picture>" > trick. The image referenced in the HTML mail is indeed fetched from > the remote server when this email is opened in Imp, even if the > setting to block the loading of remote images is in place. If you > like, I can share this test email with you. > > The attached patch tries to fix this flaw by applying a similar > blocking pattern to HTML "source" elements as is already applied to > "img" elements. This code may need some more polishing to meet > Horde's standards, but it does solve this issue when opening the test > email. Note that this issue may not only have privacy implications, > but in special cases may also have security implications, as outlined > in the blog post.
Attachment
Watch this ticket

Saved Queries