Block HTML for unsigned S/MIME messages
* src/mail.cpp (Mail::set_block_status): New. Sets a MAPI prop to disable automatic HTML external references. (Mail::set_block_html): New. HTML content should be blocked. (Mail::parsing_done): check for block html. (Mail::update_body): Block HTML if necessary. * src/parsecontroller.cpp (ParseController::shouldBlockHtml): New. (is_valid_chksum): Check that the sig is valid even if it is untrusted. * src/mymapitags.h (PR_BLOCK_STATUS): New. * src/oomhelp.h (PR_BLOCK_STATUS_DASL): New.
This blocks HTML display in unsigned S/MIME Mails to avoid
attacks that rely on HTML side channels. If there is
no text/plain part it will show the unparsed HTML. Trying
to parse it with Outlook and then inserting at as plain text
left the references intact and appears to be too risky.
- GnuPG-Bug-Id: T3986