jdede / warnattachment Goto Github PK

Also check TNEF encoded attachments for example decoded with LookOut!

Sadly your addon isn't compatible with latest Thunderbird

Hello i was trying to implement a new function of the plugin but i can't do it. I want to check, before sending a message, if there are any attachments and if so check if all attachments have an .asc or .gpg extension or any (because the options), and if any of them do not have one of these two extensions to display a warning to the user such as "Warning: the following attachments appear to be unencrypted. Are you sure you want to continue (SEND / CANCEL)". If the files have all of these extensions or if there are no attachments, there is no need to display a popup. Could you do it or show me how can i do it? Thank you!!

Hi there developer folks,

I was very happy to see warnattachment 2.1 show up for thunderbird. Just dicovered some nasty stuff with it? Tested on 64bit Thunderbird 78.5.0 (windows) but also had some other 75.8.0 32bit on windows as well.

Situation:

sending very simple e.g. text-only mail, to myself, pop3 or imap account inside TB.

1. write simple mail to yourself

2. receive mail with TB and WA (2.1) addon installed

3. forward this email as attachment (.eml file being created in attachment area) to yourself again

4. receive email again via pop3/imap

5. open this email with an email embedded as attachment/.eml inside

6. click onto the .eml in the attachment area in the gui, or the email icon in the attachment area

7. this brings up the forwarded attached email in a new TB window. so far so good.

8. close this window again

9. try to work and use your TB again, for example just try to re-open this .eml/attached email object again

10. result: nothing happens ever again after this step 9, regarding attachment functions.

meaning: i can not make the .eml/forwarded email attached to open again
I also can not open any other type of attachments ever again after this step, so for example my other emails with e.g. say very simple stuff .pdf attached in them. I can not double click on those PDF attachments, I can not rightclick on the .pdf attachment there and make it appear/show/start the default PDF app etc..

only the very first attachment type of handling event seems to work in TB from now on.

Shutting down TB and restarting it, brings back functionality, for attachments, but exactly only for ONE attachment/event after that again.

Every second and follwing attempt to work/read/open/execute attachment objects apparently leads to no event being executed.

Its not that the TB gui is being blocked or hanging or anything. TB gui seems to be fine. Also no pending notification or popups are being seen, or no modal dialog boxes are blocking anything.

As far as I can tell.

Something is becoming stuck or blocked or something after the very first attachment event. I can tell for sure this happens when you start with .eml/attached-mails type of attachments. Thats how some friends of mine reported back to me today that TB was broken or something was seriously wrong.

When simple disabling WA inside the addons-area (blue lever) the functionality returns.

Also .eml attachment are obviously NOT inside any warned or blocked attachment type in WA settings. Nor are e.g. PDF or anything.

Its about completely unblocked, unwarned attachment types.

Thats at least as far as I can tell in this bugreport.
Please look into this quickly if possible. Thank you!

It would be awesome if this attachment would run on TB 91. For me it shows as incompatible on the Add-ons for Thunderbird page ("Works with Thunderbird 68.0 - 89.0").

This article mentions various potentially dangerous suffixes. Some of these might be worth adding:

.exe, .msi, .msp, .com, .gadget, .cmd, .vbe, .jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk, .inf, .scf, .hta, .html, .htm, .js, .jar, .vbs, .vb, .sfx, .bat, .dll, .tmp, .py, .shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peta, .moka, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora, .reig, .tirp, .plam, .cosd, .ygkz, .cadq, .ribd, .qlkm, .coos, .wbxd, .pola

While testing your extention I noticed that trying to open a blocked file is prevented, saving the same file works.
Now I have a couple of pc's where I don't want any possibilties to open specific files.

Is there any chance this finds its way into your extention?

Thanks a lot and greetings
troillius

Hello developer team,

any chance of any speedy support for Thunderbird 78.x new extensions and addons mechanism, maybe called webextensions or whatnot. Unfortunately Mozilla keeps up bumping and changing APIs and structures too often and making a lot of experiments.

Any infos on 78+ compat and eta? Really appreciate this addon and piece of software for Thunderbird. For the noobs and masses this is really a security measure and a last line of defence.

Thanks again!

Tested the add-on with the current beta (115) and it seems not to work: No messages are shown. Maybe we have to get rid of the experiment.
Maybe @arai-a can check or has more information what has to be done?

There seem to be policy templates available e.g. at:

https://github.com/thundernest/policy-templates

Does anyone have experience with deploying WarnAttachment using policy templates? I would like to set the block/warn lists too.

Move the access to the attachment opener from the experiment to the main API. Steps suggested by John Bieling:

1. create a bug in bugzilla to announce the new API and be able to track it
2. announce it on topicbox, so the broader add-on developer community can respond and work together on the API description (for collaboration it is useful to create a google doc and link that to the topicbox thread)
3. After having discussed the API on topicbox and you got feedback that it will be beneficial to include it Thunderbird, attach a patch to your bugzilla bug

I stumbled across a situation in which the addon fails to detect the extension listed in warn list.

Namely, I received an email with the attachment file name in the following form "somefilename.pdf.xlsx". Per the settings, the file extension on which I should be getting warning covers XLSX, but not PDF. Here is a warn list from the settings: "DOC,DOCX,DOCM,PPT,PPTM,XLS,XLSM,XSLX,PPS,PPSM,HTML,HTM". The version I am running is 2.10.

I do not know how, but it looks like the code is missing to identify the extension due to the multiple dots in the file name formating. The code does look fine since it is addressing lastIndexOf.

let ext = attName.substring(attName.lastIndexOf(".")).toLowerCase();

Just an tought (altrough I do not work with JS), maybe using split instead of lastIndexOf or lastIndexOf(".")+1 could resolve the problem:

  // get the current file extension
  let attName = o.displayName ? o.displayName : o.name;
  var extArray = attName.split(".").toLowerCase();
  let ext = extArray.[extArray.length - 1];

we like the idea to use this extension (we mostly use Outlook but a lot of users use also Thunderbird.) In Outlook a lot of attachments are blocked and we want to have this same behaviour in Thunderbird. Natively there is no way and so we found WarnAttachment. But the question is how to avoid that users can self configure the settings in WarnAttachment?

Any idea?

Ref. https://arstechnica.com/information-technology/2021/09/unpatched-macos-vulnerability-lets-remote-attackers-execute-code/

This is a serious security risk. Just receiving an email would trigger the exploit. Not sure this is the case with Thuderbird, but better safe than sorry.

Hi,

wouldn't it be better if all attachment are blocked by default and only a list of specific extensions are allowed?

All extensions are blocked

List of extensions are allowed with a warning
ZIP, DOC, XLS

List of extensions are allowed without any warning
PDF, jpg, txt

This would minimize the risk of unknown dangerous extensions. For example, at the moment the extension ISO is missing in the default list of blocked extensions. Windows 10 mount automatically this file and may cause damage to the system because of auto play function. And who knows every existing extension that may be cause a problem.

Best regards

Georg

Use an API popup window using the original API as follows:

let w = await browser.windows.create({
          height: 200,
          width:300,
          url:popup.html,
          type: 'popup'
});

and use browser.runtime.messaging for informing a listener on user action and await the response in the main thread.