Home GnuPG
Diffusion GpgOL dd3ff8397aaf

Extend protection against plaintext syncs


Extend protection against plaintext syncs

* src/mail.cpp (Mail::decryptVerify_o): Invoke the
save independet of message class and extend it to MAPI.
* src/mailitem-events.cpp (WriteCancelIgnored): New event

This fix is for an issue that we do not really have a tracker
ID for because it is unreliable to reproduce and as such
hard to describe. In a specific configuration which we do
not know exactly why but were able to reproduce it could
happen that after reading a mail the write back was not
properly cancled and wrote the plaintext back to the server.

In those instances we always saw the Event 0xFC99 see my comment
about it:
/* This event ID is completely undocumented, neither in Outlook Spy

nor in MSDN. I just observed that this ID was sent when we cancelled
a write event but the write was still done and we would have come
into the after write event. So we handle this like a close which
then loses the changes and we see no AfterWrite afterwards. This
is a safeguard against plaintext leak. But this event could
mean something different altogether. */

But if we just prevented that then even the change to the unread
status was not synced on the server. This seems to be so baked
into MAPI and only read from the OOM Model that a save in OOM which
we previously did in decryptVerify was not enough, we needed to
change it in MAPI directly.

This has the nice side effect that changing categories and flags
on unopened mails now works reliably as we trigger a sync back of
thsese changes before we modify the mail. That way there is no
chance that these changes are discarded by our usual closing

So this at least lowers the priority again of:


aheineckeAuthored on May 15 2023, 10:36 AM
rO81cc281aa8d4: Silence a new compiler warning
T4127: GpgOL: Setting category or flagging crypto mails is not possible