Breaking MIME concatenation

Patrick Brunschwig patrick at enigmail.net
Wed May 16 06:21:42 CEST 2018 

On 15.05.18 17:53, Lukas Pitschl | GPGTools wrote:
> 
>> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig <patrick at enigmail.net>:
>>
>> I already tried a while ago to trick the Thunderbird HTML rendering
>> engine with tricks like this... They don't work. The rendering engine
>> ignores the </html> tag (and also tags like </body>).
>>
>> I think the correct solution must be to treat each MIME part
>> independently, i.e. it needs to be parsed independently by the HTML
>> engine and produce its own DOM tree. At the end, you can concatenate
>> these DOM trees and create a single correct HTML document.
> 
> I have also already tried to implement a similar fix for Apple Mail a few days ago,
> using <!--" <!-- --> which did work, but is probably a too naive attempt
> to mitigate against these XSS-kind of attacks. 
> 
> So I absolutely concur with Patricks statement, that the Mime Parsers have
> to be adjusted to treat every text/html part as single DOM tree or even use different
> web document instances to represent the message.   

I have actually thought through this during a sleepless night, and I
believe that it could work as a quick and easy to implement *short term*
measure until the mail clients have fixed the HTML rendering.

If we embed the complete result that we get from gpg into the following
wrapper, then we should be able to mitigate at least any known form of
the attack when it comes to calling a remote URL during message reading:


Content-Type: mutlipart/mixed; boundary="WRAPPER"
Content-Description: Efail protection wrapper

--WRAPPER
Content-Type: text/html

<!-- > <PRE style="visibility: visible; display: block; font: fixed;
font-size: 10px;"> -->
<!-- '> <PRE style="visibility: visible; display: block; font: fixed;
font-size: 10px;"> -->
<!-- "> <PRE style="visibility: visible; display: block; font: fixed;
font-size: 10px;"> -->

--WRAPPER
(result of PGP/MIME decryption)
--WRAPPER--


Does anyone see a major hole in this that I may have overseen? If not,
then I think I'll implement this in Enigmail until Thunderbird has fixed
this properly.

-Patrick




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180516/5762ae4c/attachment.sig>

More information about the Gnupg-users mailing list