From ae438ccd8c77831158c7c30f19710d798ee4a6b4 Mon Sep 17 00:00:00 2001
From: Aaron Ecay <aaronecay@gmail.com>
Date: Fri, 3 Feb 2012 11:24:08 +0100
Subject: emacs: quote MML tags in replies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Emacs message-mode uses certain text strings to indicate how to attach
files to outgoing mail.  If these are present in the text of an email,
and a user is tricked into replying to the message, the user’s files
could be exposed.

Edited-by: Pieter Praet <pieter@praet.org>:  Rebased to release branch.
---
 NEWS | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 3d2c2a84..a089e679 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,17 @@ Fix error handling in python bindings.
   exceptions to indicate the error condition. Any subsequent calls
   into libnotmuch caused segmentation faults.
 
+Quote MML tags in replies
+
+  MML tags are text codes that Emacs uses to indicate attachments
+  (among other things) in messages being composed.  The Emacs
+  interface did not quote MML tags in the quoted text of a reply.
+  User could be tricked into replying to a maliciously formatted
+  message and not editing out the MML tags from the quoted text.  This
+  could lead to files from the user's machine being attached to the
+  outgoing message.  The Emacs interface now quotes these tags in
+  reply text, so that they do not effect outgoing messages.
+
 
 Notmuch 0.11 (2012-01-13)
 =========================
-- 
cgit v1.2.3