Skip to content
  • Michael Gratton's avatar
    Check for spoofed sender addresses, only display the address if so. · 71e0e683
    Michael Gratton authored
    This adds a check for malware spoofing of RFC 822 mailbox addresses such
    as those found in Mailsploit, and if found only displays the email
    address part and not the mailbox name part.
    
    Part 1 of Mailsploit mitigation.
    
    * src/engine/rfc822/rfc822-mailbox-address.vala (MailboxAddress): Add new
      is_spoofed method to check if the mailbox address looks like it has
      been spoofed. Add is_distinct method to determine if the name and the
      label is the same. Do whitespace and non-printing character stripping
      when generating display versions of the mailbox address, rename methods
      to make it more obvious what they do and update call sites. Add unit
      tests to cover all this.
    
    * src/client/conversation-viewer/conversation-message.vala
      (ConversationMessage): Check name is distinct and is not valid before
      displaying it. Use new MailboxAddress methods for getting display
      versions of the address, to ensure we get the stripped versions of the
      addresses.
    
    * src/client/conversation-list/formatted-conversation-data.vala
      (ParticipantDisplay): Ensure full addresses are always HTML-markup
      escaped before displaying them as markup, to avoid dropping "<address>"
      values as invalid HTML. Always show the full address if an address is
      invalid.
    
    * src/engine/util/util-string.vala (reduce_whitespace): Strip not only
      whitespace but also non-printing characters. Add unit tests.
    71e0e683