schleuder issueshttps://0xacab.org/schleuder/schleuder/-/issues2017-05-21T10:12:47Zhttps://0xacab.org/schleuder/schleuder/-/issues/202Update changelog for 3.12017-05-21T10:12:47ZgeorgUpdate changelog for 3.13.1georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/193Mailvelope displays mime-structure instead of parsed content2018-01-20T14:36:36ZrugkMailvelope displays mime-structure instead of parsed contentFollow-up of https://0xacab.org/schleuder/schleuder/issues/185
Part of mail I sent to schleuder@nadir.org:
I am using Mailvelope v1.7.2 in Firefox 53.0.2 for en/decryption. And it is usually working.
But the mail I got from schleuder ac...Follow-up of https://0xacab.org/schleuder/schleuder/issues/185
Part of mail I sent to schleuder@nadir.org:
I am using Mailvelope v1.7.2 in Firefox 53.0.2 for en/decryption. And it is usually working.
But the mail I got from schleuder actually included the mail headers in the (encrypted) mail content and even my attachment was displayed Base64-encoded.
Full content here: https://privatebin.net/?134b2fd1b1061df8#ijtlDIfOU5MuVPLgEagci8jl6cUQjjuWF0evHDFMTmg=3.1https://0xacab.org/schleuder/schleuder/-/issues/191Also show text if key wasn't imported because it didn't change2017-05-21T08:22:40ZpazAlso show text if key wasn't imported because it didn't changeCurrently at least `fetch_key()` returns an empty string, which results
in the user getting a "there was no output"-answer.Currently at least `fetch_key()` returns an empty string, which results
in the user getting a "there was no output"-answer.3.1pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/189Set up group labels, remove project labels2017-05-16T06:28:45ZgeorgSet up group labels, remove project labelsIt's quite cumbersome to do the same work for multiple projects. As we're using at least some of the labels in every project, let's switch to group-wide labels, and remove the per-project ones.It's quite cumbersome to do the same work for multiple projects. As we're using at least some of the labels in every project, let's switch to group-wide labels, and remove the per-project ones.3.1georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/187Force encoding of gpg-cli-output2017-05-15T14:10:17ZpazForce encoding of gpg-cli-outputCurrently, importing keys with (higher) UTF-8 characters results in a "invalid byte sequence in US-ASCII"-error from ruby from grepping the `gpgoutput` of `Ctx::gpgcli()`. Apparently `readlines` defaults to US-ASCII?Currently, importing keys with (higher) UTF-8 characters results in a "invalid byte sequence in US-ASCII"-error from ruby from grepping the `gpgoutput` of `Ctx::gpgcli()`. Apparently `readlines` defaults to US-ASCII?3.1pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/186Strip empty lines from output of `keys update`2017-05-12T08:35:40ZpazStrip empty lines from output of `keys update`Somehow the last fix made it so the output now contains a lot of empty
lines (probably one per handled key). It looks e.g. like this:
```
Refreshing all keys from the keyring of list listname@hostname resulted in this:
...Somehow the last fix made it so the output now contains a lot of empty
lines (probably one per handled key). It looks e.g. like this:
```
Refreshing all keys from the keyring of list listname@hostname resulted in this:
Key 0123456789DEADBEEF0123456789DEADBEEF0123 was updated (new signatures, new subkeys).
```3.1pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/176Improve handling of automated messages2017-05-21T08:22:40ZpazImprove handling of automated messagesCurrently all automated messages (e.g. Mailman's infamous monthly
subscription-reminders) are being sent to the admins with subject
"Bounced messages".
That's a little misleading. We either should reword the subject and
introductionary ...Currently all automated messages (e.g. Mailman's infamous monthly
subscription-reminders) are being sent to the admins with subject
"Bounced messages".
That's a little misleading. We either should reword the subject and
introductionary paragraph, or refine the detection and tell "legitimate"
automated messages from actual bounces.3.1pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/42Allow fingerprints to be written with spaces2018-06-25T19:19:46ZpazAllow fingerprints to be written with spacesMost tools output a fingerprint separated into groups. We should support reading a fingerprint in that format.
See also schleuder/schleuder#39Most tools output a fingerprint separated into groups. We should support reading a fingerprint in that format.
See also schleuder/schleuder#393.1pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/535keywords in the middle of messages get stripped2024-03-15T08:02:56Zdkgkeywords in the middle of messages get strippedSometimes, a user of a schleuder list might send instructions about how to control a schleuder list in a message that went to the list itself.
If the instructions include keywords, those keywords are stripped before re-sending, even if ...Sometimes, a user of a schleuder list might send instructions about how to control a schleuder list in a message that went to the list itself.
If the instructions include keywords, those keywords are stripped before re-sending, even if those keywords are not at the top of the message.
Using schleuder 4.0.3-7 (as packaged in debian stable, version 12.5), i sent the following message to a schleuder list:
```
Please ignore this message, i am trying to debug a possible schleuder
bug.
Here is a schleuder keyword command in the middle of the message text:
X-LIST-NAME: foo@example.org
X-ATTACH-LIST-KEY:
-----BEGIN PGP PUBLIC KEY BLOCK-----
nothing to see here.
And here is some followup text.
--dkg
```
The signed, encrypted version of the message that came back from the list had the expected spliced metadata part:
```
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: [REDACTED SCHLEUDER LIST ADDRESS]
Cc:
Date: Mon, 11 Mar 2024 15:08:50 -0400
Sig: Good signature from BB7E9101495E6BF7 Daniel Kahn Gillmor
Enc: Encrypted
------------------------------------------------------------------------------
```
and the rest of the body said:
```
Please ignore this message, i am trying to debug a possible schleuder
bug.
Here is a schleuder keyword command in the middle of the message text:
nothing to see here.
And here is some followup text.
--dkg
```
It seems to me that keywords that are not at the beginning of the message should be ignored, not stripped.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/530Insufficient sanitation of emailed requests2024-02-14T11:27:26ZAndrew GallagherInsufficient sanitation of emailed requestsI use Apple Mail, which has the unfortunate habit of expanding "user@example.com" to "user@example.com &lt;user@example.com&gt;", even in "plain text" mode. This means that when trying to subscribe a non-admin user to a list via the -req...I use Apple Mail, which has the unfortunate habit of expanding "user@example.com" to "user@example.com <user@example.com>", even in "plain text" mode. This means that when trying to subscribe a non-admin user to a list via the -request interface, the body gets mangled to:
```
x-subscribe: user@example.com <user@example.com> DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
```
This is apparently being parsed as:
```
x-subscribe: user@example.com NULL TRUE
```
because it subscribes the user without a fingerprint and sets them to an admin:
```
user@example.com has been subscribed with these attributes:
Fingerprint:
Admin? true
Email-delivery enabled? true
```
This is dangerous behaviour. Unexpected input should always throw an error, especially where admin permissions are being assigned.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/526Schleuder throws a traceback if told to import a key, but a key can't be found2024-01-09T08:56:04ZgeorgSchleuder throws a traceback if told to import a key, but a key can't be foundSuper admins receive the following error via mail if a user tries to import a key via a request mail with `x-add-key`, but no key:
```
undefined method `compact' for "Your message did not contain any attachments nor text content. Theref...Super admins receive the following error via mail if a user tries to import a key via a request mail with `x-add-key`, but no key:
```
undefined method `compact' for "Your message did not contain any attachments nor text content. Therefore no key could be imported.":String
import_stati = results.compact.collect(&:imports).flatten
^^^^^^^^
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers/key_management.rb:21:in `add_key'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:67:in `run_handler'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:34:in `block in run'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:32:in `map'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:32:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/filters/post_decryption/10_request.rb:16:in `request'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:14:in `block in run'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:12:in `map'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:12:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/runner.rb:127:in `run_filters'
/usr/lib/ruby/vendor_ruby/schleuder/runner.rb:56:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/cli.rb:38:in `work'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
/usr/bin/schleuder:13:in `<main>'
```
Schleuder version: `4.0.3`5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/525Fix importing keys from encoded attachments2023-11-14T08:54:32ZpazFix importing keys from encoded attachmentsCurrently importing keys from some forms of encoded attachments (e.g. sent by Thunderbird) fails.
This is due to the change from 7ff1160a4cd090e38ffd6d49ee27531132cc52f4.
Interestingly, the test-case newly added by that commit, also is...Currently importing keys from some forms of encoded attachments (e.g. sent by Thunderbird) fails.
This is due to the change from 7ff1160a4cd090e38ffd6d49ee27531132cc52f4.
Interestingly, the test-case newly added by that commit, also is green without the change to `key_management.rb`.
@georg Do you have any memory why you changed `key_management.rb` the way you did?5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/523HTML mail leakage when the `text/html` part is not a direct child of the `mul...2023-10-23T21:36:38ZsnipHTML mail leakage when the `text/html` part is not a direct child of the `multipart/alternative`Hello!
I think I've encountered a problem in Schleuder 3.4.0 (which is probably still present in the later versions as well), in which the HTML part of an email containing keywords will not be removed if the `text/html` part is not a di...Hello!
I think I've encountered a problem in Schleuder 3.4.0 (which is probably still present in the later versions as well), in which the HTML part of an email containing keywords will not be removed if the `text/html` part is not a direct child of the main `multipart/alternative` container.
## Steps to Reproduce the Problem
1. Compose a new email (I used Thunderbird 102, but other email clients might work as well).
2. Add Schleuder keywords (such as an `x-resend` keyword).
3. In the body of the email, insert an image.
4. Send the encrypted, signed email to the Schleuder address.
Note: Since the HTML part should be stripped anyway, I agree that there is not much point including an image in the email in the first place. However, I think there are real-life situations where this could happen: for instance, when quoting / replying to an email which already has embedded images, the email client will automatically include these images in the new message, and the user may just leave them as is. (Actually, this is how I've stumbled upon this problem.)
## Expected Behavior
One would expect the HTML part to be stripped from the email resent by Schleuder, since #399 was fixed thanks to !255.
## Actual Behavior
The HTML part will be left untouched by Schleuder and resent as is. In particular, it will leak the keywords.
## Specifications
- Version: 3.4.0 (it seems to me that the problem is present in the 4.* branch as well, but I wasn't able to test)
- Installation method (package, gem...): unknown
- Mail client version: Thunderbird 102.3.0
## Other information
It seems to me that this is due to the fact that Schleuder will only remove the `text/html` part if it is directly contained in the top-level `multipart/alternative` container, according to the [`strip_html_from_alternative_if_keywords_present` filter](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/schleuder/schleuder/-/blob/schleuder-3.4.0/lib/schleuder/filters/post_decryption/90_strip_html_from_alternative_if_keywords_present.rb#L11-13). For instance, the filter will work as expected if the email has the following structure:
```
multipart/alternative
|- text/plain
'- text/html
```
However, if there is an image embedded with the HTML part, then Thunderbird (and probably other email clients) will first bundle the HTML part and the image together in a `multipart/related` part, then add this part to the `multipart/alternative`:
```
multipart/alternative
|- text/plain
'- multipart/related
|- text/html
'- image/jpeg
```
From what I could understand from the code of the `strip_html_from_alternative_if_keywords_present` filter, it seems to me that Schleuder will not find and remove the `text/html` part because it is not in the `mail.parts` array.
Maybe a possible fix would be to recurse down the tree of parts instead of just looking at the direct children of the root `multipart/alternative` container? Unfortunately, I'm not fluent enough in Ruby to be able to investigate this issue further.
In any case, I hope that this report will help!
Thank you very much for all the work on this great tool! :)
Cheers!\
snip5.0.0https://0xacab.org/schleuder/schleuder/-/issues/520Stop providing a default SKS keyserver2023-11-14T08:55:30ZpazStop providing a default SKS keyserverI propose to not provide a default config setting for `Conf.sks_keyserver` anymore.
The old SKS keyservers are mostly dead, `keyserver.ubuntu.com` appears to be the only public SKS keyserver left. We shouldn't encourage to use them anym...I propose to not provide a default config setting for `Conf.sks_keyserver` anymore.
The old SKS keyservers are mostly dead, `keyserver.ubuntu.com` appears to be the only public SKS keyserver left. We shouldn't encourage to use them anymore.
But `keys.mailvelope.com` (validates uploaded email addresses) provides its keys via SKS-like URLs (besides its own API, which I don't want to implement), and people might want to use non-public SKS keyservers, too. Therefore I do not propose to remove handling SKS-keyservers completely.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/519`list.send_list_key_to_subscriptions` fails if `deliver_selfsent` is set to f...2022-09-13T14:49:52Zfleish`list.send_list_key_to_subscriptions` fails if `deliver_selfsent` is set to falseI recently changed my list defaults to set deliver_selfsent to false to avoid having messages reflected back to senders who are also subscribers. The next time I tried to create a list using schleuder-cli, I was unable to use the send-li...I recently changed my list defaults to set deliver_selfsent to false to avoid having messages reflected back to senders who are also subscribers. The next time I tried to create a list using schleuder-cli, I was unable to use the send-list-key-to-subscriptions command to send myself the list's key. Temporarily setting deliver_selfsent to true resolved this issue. Debug logs attached for attempting to call send-list-key-to-subscriptions both times. Somewhat ironically, the 2 errors generated were successfully sent to me as the list admin (and only subscriber) via signed+encrypted mail to the same address.
[list.log.send-list-key-to-subscriptions_selfsent.false.txt](/uploads/f1c51b2f18213f4b36f7cb290b3e0468/list.log.send-list-key-to-subscriptions_selfsent.false.txt)
[list.log.send-list-key-to-subscriptions_selfsent.true.txt](/uploads/1fbf4e90ba20d02f65600fb206831b1f/list.log.send-list-key-to-subscriptions_selfsent.true.txt)5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/518Upgrade Active Record to 7.0.42022-09-13T14:52:14ZNinaUpgrade Active Record to 7.0.45.0.0NinaNinahttps://0xacab.org/schleuder/schleuder/-/issues/514CI: extend to catch specs which rely on hardcoded key expiry dates2022-04-12T19:37:10ZgeorgCI: extend to catch specs which rely on hardcoded key expiry datesHardcoded key expiry dates makes the Schleuder build fail during reproducible builds. Instead of fixing such code after it has been introduced, it might be more clever to catch it upfront.
Ref #268
Ref #513Hardcoded key expiry dates makes the Schleuder build fail during reproducible builds. Instead of fixing such code after it has been introduced, it might be more clever to catch it upfront.
Ref #268
Ref #5134.0.3georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/513specs: unit: keyword_handlers/key_management: expected, hardcoded key expiry ...2022-04-13T10:59:12Zgeorgspecs: unit: keyword_handlers/key_management: expected, hardcoded key expiry dates makes Schleuder build unreproducibleSource: https://tests.reproducible-builds.org/debian/rbuild/unstable/amd64/schleuder_4.0.2-1.rbuild.log.gz
```
Failures:
1) Schleuder::KeywordHandlers::KeyManagement.delete_key deletes multiple keys that each distinctly match one arg...Source: https://tests.reproducible-builds.org/debian/rbuild/unstable/amd64/schleuder_4.0.2-1.rbuild.log.gz
```
Failures:
1) Schleuder::KeywordHandlers::KeyManagement.delete_key deletes multiple keys that each distinctly match one argument
Failure/Error: expect(output).to eql("This key was deleted:\n0xC4D60F8833789C7CAA44496FD3FFA6613AB10ECE schleuder2@example.org 2016-12-12\n\n\nThis key was deleted:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]\n")
expected: "This key was deleted:\n0xC4D60F8833789C7CAA44496FD3FFA6613AB10ECE schleuder2@example.org 2016-12-12\...was deleted:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]\n"
got: "This key was deleted:\n0xC4D60F8833789C7CAA44496FD3FFA6613AB10ECE schleuder2@example.org 2016-12-12\...was deleted:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-19]\n"
(compared using eql?)
Diff:
@@ -3,5 +3,5 @@
This key was deleted:
-0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]
+0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-19]
# ./spec/schleuder/unit/keyword_handlers/key_management_spec.rb:173:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
2) Schleuder::KeywordHandlers::KeyManagement.add_key updates a key
Failure/Error: expect(output).to eql("This key was updated:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]\n")
expected: "This key was updated:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]\n"
got: "This key was updated:\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-19]\n"
(compared using eql?)
Diff:
@@ -1,3 +1,3 @@
This key was updated:
-0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-20]
+0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo 2010-08-13 [expired: 2017-01-19]
# ./spec/schleuder/unit/keyword_handlers/key_management_spec.rb:129:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
```
Ref #268
Ref !1184.0.3georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/512CI: changelog job: fails on non-fast-forward changes of the target branch2022-04-04T09:16:36ZgeorgCI: changelog job: fails on non-fast-forward changes of the target branchExample of a problematic job: https://0xacab.org/schleuder/schleuder/-/jobs/262083
```
$ git fetch --depth=1 https://0xacab.org/schleuder/schleuder.git/ $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
From http...Example of a problematic job: https://0xacab.org/schleuder/schleuder/-/jobs/262083
```
$ git fetch --depth=1 https://0xacab.org/schleuder/schleuder.git/ $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
From https://0xacab.org/schleuder/schleuder
! [rejected] main -> main (non-fast-forward)
```4.0.3georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/511Test with Ruby 3.12022-04-16T22:00:49ZpazTest with Ruby 3.1Depends on schleuder/schleuder-ci-images#1Depends on schleuder/schleuder-ci-images#15.0.0