jdede / warnattachment Goto Github PK
View Code? Open in Web Editor NEWThunderbird plugin to warn users against potentially dangerous attachments
License: GNU General Public License v3.0
Thunderbird plugin to warn users against potentially dangerous attachments
License: GNU General Public License v3.0
Also check TNEF encoded attachments for example decoded with LookOut!
Sadly your addon isn't compatible with latest Thunderbird
Hello i was trying to implement a new function of the plugin but i can't do it. I want to check, before sending a message, if there are any attachments and if so check if all attachments have an .asc or .gpg extension or any (because the options), and if any of them do not have one of these two extensions to display a warning to the user such as "Warning: the following attachments appear to be unencrypted. Are you sure you want to continue (SEND / CANCEL)". If the files have all of these extensions or if there are no attachments, there is no need to display a popup. Could you do it or show me how can i do it? Thank you!!
Hi there developer folks,
I was very happy to see warnattachment 2.1 show up for thunderbird. Just dicovered some nasty stuff with it? Tested on 64bit Thunderbird 78.5.0 (windows) but also had some other 75.8.0 32bit on windows as well.
Situation:
sending very simple e.g. text-only mail, to myself, pop3 or imap account inside TB.
write simple mail to yourself
receive mail with TB and WA (2.1) addon installed
forward this email as attachment (.eml file being created in attachment area) to yourself again
receive email again via pop3/imap
open this email with an email embedded as attachment/.eml inside
click onto the .eml in the attachment area in the gui, or the email icon in the attachment area
this brings up the forwarded attached email in a new TB window. so far so good.
close this window again
try to work and use your TB again, for example just try to re-open this .eml/attached email object again
result: nothing happens ever again after this step 9, regarding attachment functions.
meaning: i can not make the .eml/forwarded email attached to open again
I also can not open any other type of attachments ever again after this step, so for example my other emails with e.g. say very simple stuff .pdf attached in them. I can not double click on those PDF attachments, I can not rightclick on the .pdf attachment there and make it appear/show/start the default PDF app etc..
only the very first attachment type of handling event seems to work in TB from now on.
Shutting down TB and restarting it, brings back functionality, for attachments, but exactly only for ONE attachment/event after that again.
Every second and follwing attempt to work/read/open/execute attachment objects apparently leads to no event being executed.
Its not that the TB gui is being blocked or hanging or anything. TB gui seems to be fine. Also no pending notification or popups are being seen, or no modal dialog boxes are blocking anything.
As far as I can tell.
Something is becoming stuck or blocked or something after the very first attachment event. I can tell for sure this happens when you start with .eml/attached-mails type of attachments. Thats how some friends of mine reported back to me today that TB was broken or something was seriously wrong.
When simple disabling WA inside the addons-area (blue lever) the functionality returns.
Also .eml attachment are obviously NOT inside any warned or blocked attachment type in WA settings. Nor are e.g. PDF or anything.
Its about completely unblocked, unwarned attachment types.
Thats at least as far as I can tell in this bugreport.
Please look into this quickly if possible. Thank you!
It would be awesome if this attachment would run on TB 91. For me it shows as incompatible on the Add-ons for Thunderbird page ("Works with Thunderbird 68.0 - 89.0").
This article mentions various potentially dangerous suffixes. Some of these might be worth adding:
.exe, .msi, .msp, .com, .gadget, .cmd, .vbe, .jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk, .inf, .scf, .hta, .html, .htm, .js, .jar, .vbs, .vb, .sfx, .bat, .dll, .tmp, .py, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peta, .moka, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora, .reig, .tirp, .plam, .cosd, .ygkz, .cadq, .ribd, .qlkm, .coos, .wbxd, .pola
While testing your extention I noticed that trying to open a blocked file is prevented, saving the same file works.
Now I have a couple of pc's where I don't want any possibilties to open specific files.
Is there any chance this finds its way into your extention?
Thanks a lot and greetings
troillius
Hello developer team,
any chance of any speedy support for Thunderbird 78.x new extensions and addons mechanism, maybe called webextensions or whatnot. Unfortunately Mozilla keeps up bumping and changing APIs and structures too often and making a lot of experiments.
Any infos on 78+ compat and eta? Really appreciate this addon and piece of software for Thunderbird. For the noobs and masses this is really a security measure and a last line of defence.
Thanks again!
Tested the add-on with the current beta (115) and it seems not to work: No messages are shown. Maybe we have to get rid of the experiment.
Maybe @arai-a can check or has more information what has to be done?
There seem to be policy templates available e.g. at:
https://github.com/thundernest/policy-templates
Does anyone have experience with deploying WarnAttachment using policy templates? I would like to set the block/warn lists too.
Move the access to the attachment opener from the experiment to the main API. Steps suggested by John Bieling:
I stumbled across a situation in which the addon fails to detect the extension listed in warn list.
Namely, I received an email with the attachment file name in the following form "somefilename.pdf.xlsx". Per the settings, the file extension on which I should be getting warning covers XLSX, but not PDF. Here is a warn list from the settings: "DOC,DOCX,DOCM,PPT,PPTM,XLS,XLSM,XSLX,PPS,PPSM,HTML,HTM". The version I am running is 2.10.
I do not know how, but it looks like the code is missing to identify the extension due to the multiple dots in the file name formating. The code does look fine since it is addressing lastIndexOf
.
let ext = attName.substring(attName.lastIndexOf(".")).toLowerCase();
Just an tought (altrough I do not work with JS), maybe using split
instead of lastIndexOf
or lastIndexOf(".")+1
could resolve the problem:
// get the current file extension
let attName = o.displayName ? o.displayName : o.name;
var extArray = attName.split(".").toLowerCase();
let ext = extArray.[extArray.length - 1];
we like the idea to use this extension (we mostly use Outlook but a lot of users use also Thunderbird.) In Outlook a lot of attachments are blocked and we want to have this same behaviour in Thunderbird. Natively there is no way and so we found WarnAttachment. But the question is how to avoid that users can self configure the settings in WarnAttachment?
Any idea?
This is a serious security risk. Just receiving an email would trigger the exploit. Not sure this is the case with Thuderbird, but better safe than sorry.
Hi,
wouldn't it be better if all attachment are blocked by default and only a list of specific extensions are allowed?
All extensions are blocked
List of extensions are allowed with a warning
ZIP, DOC, XLS
List of extensions are allowed without any warning
PDF, jpg, txt
This would minimize the risk of unknown dangerous extensions. For example, at the moment the extension ISO is missing in the default list of blocked extensions. Windows 10 mount automatically this file and may cause damage to the system because of auto play function. And who knows every existing extension that may be cause a problem.
Best regards
Georg
Use an API popup window using the original API as follows:
let w = await browser.windows.create({
height: 200,
width:300,
url:popup.html,
type: 'popup'
});
and use browser.runtime.messaging
for informing a listener on user action and await the response in the main thread.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.