aclocal.m4
author Ben Bucksch <ben.bucksch@beonex.com>
Mon, 21 May 2018 18:44:41 +0200
changeset 23964 96fab4a2b81189101231b12106823748c9a70a94
parent 19069 f94e12429e006d535f387dd07b7fbe3b39c54ae5
permissions -rw-r--r--
Bug 1419417 - Parse HTML to make sure that tags and attributes are properly closed. r=mkmelin,jorgk This fixes the efail <http://efail.de> security bug, which opens a HTML tag or attribute in an HTML MIME part, then puts in a PGP-encrypted part, and then another HTML part with the closing quote or tag. This could be e.g. <img src=' or <form><textarea>, CSS URL or similar features that send out the following text as URL and therefore leak it to the attacker who crafted the email. The PGP part will then be decrypted and leak. The bug was that we just passed HTML through verbatim. The frontend does not have any further precautions, either. The correct solution here is to jail each MIME part into a separate <iframe type="content"> in the UI. However, we don't want one scrollbar for each MIME part, but one scroll for the entire body. <iframe seamless> would allow that, but it was never implemented in Firefox and is now dead. We might later find a workaround, but this is more work and can't be done short term. The fix here in libmime first parses the HTML that we get in the HTML MIME part, and then immediately serialized it again. That ensures that the HTML document is complete, syntactically correct, and all tags and attributes are properly closed, before we start with the next MIME part.

dnl
dnl Local autoconf macros used with mozilla
dnl The contents of this file are under the Public Domain.
dnl

builtin(include, mozilla/build/autoconf/toolchain.m4)dnl
builtin(include, mozilla/build/autoconf/config.status.m4)dnl
builtin(include, mozilla/build/autoconf/nspr.m4)dnl
builtin(include, mozilla/build/autoconf/nss.m4)dnl
builtin(include, mozilla/build/autoconf/pkg.m4)dnl
builtin(include, mozilla/build/autoconf/codeset.m4)dnl
builtin(include, mozilla/build/autoconf/altoptions.m4)dnl
builtin(include, mozilla/build/autoconf/mozprog.m4)dnl
builtin(include, mozilla/build/autoconf/acwinpaths.m4)dnl
builtin(include, mozilla/build/autoconf/lto.m4)dnl
builtin(include, mozilla/build/autoconf/frameptr.m4)dnl
builtin(include, mozilla/build/autoconf/compiler-opts.m4)dnl
builtin(include, mozilla/build/autoconf/zlib.m4)dnl
builtin(include, mozilla/build/autoconf/expandlibs.m4)dnl

MOZ_PROG_CHECKMSYS()

# Read the user's .mozconfig script.  We can't do this in
# configure.in: autoconf puts the argument parsing code above anything
# expanded from configure.in, and we need to get the configure options
# from .mozconfig in place before that argument parsing code.
dnl MOZ_READ_MOZCONFIG(mozilla)