Bug 724270 – Positioned elements in HTML emails can escape email body

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 724270 - Positioned elements in HTML emails can escape email body


Summary:	Positioned elements in HTML emails can escape email body


Status:	RESOLVED OBSOLETE

Product:	geary
Classification:	Other
Component:	conversations
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal minor
Target Milestone:	0.12.0
Assigned To:	Geary Maintainers
QA Contact:	Geary Maintainers

URL:
Whiteboard:

Depends on:	765516
Blocks:

Reported:	2014-02-13 05:46 UTC by Robert Schroll
Modified:	2017-01-11 06:18 UTC

See Also:	712904
GNOME target:	---
GNOME version:	---

Attachments
Position div.body (742 bytes, patch) 2014-02-13 05:47 UTC, Robert Schroll	none	Details \| Review

Description Robert Schroll 2014-02-13 05:46:55 UTC

We insert HTML from HTML emails into the conversation viewer.  If this contains positioned HTML elements, they could escape from the div.body of the email.  I've never seen this happen, and I suspect few emails actually try to use positioning in the first place.  Nonetheless, this is a potential attack vector -- you could try to position elements over top of our chrome, to some nefarious end.

I see two variants of this.  The first is with absolute positioning, which works relative to the nearest positioned container.  Right now, that's the body element, but we can make div.body positioned easily enough.  (See attached patch.)  Existing overflow statements prevent negative values from making elements visible outside of the div.body.

The second is using fixed positioning, which works relative to the viewport.  As far as I know, you can't trap fixed positioning inside anything other than an iframe.  I have trouble believing this would be used in normal emails, but it would be convenient for attackers.

Comment 1 Robert Schroll 2014-02-13 05:47:29 UTC

Created attachment 268986 [details] [review]
Position div.body

Comment 2 Jim Nelson 2014-02-13 23:02:05 UTC

Pushed to master, commit 0ce9068

Comment 3 Robert Schroll 2014-02-14 06:38:54 UTC

The patch only solved the first problem; fixed-positioned elements can still escape the div.body.  I've reopened the bug, but reduced the importance, since I've never actually seen this problem.  Hope this is okay.

Comment 4 Jim Nelson 2014-02-14 19:09:58 UTC

Yes, that's okay, in fact, helpful.

Comment 5 Michael Gratton 2017-01-11 06:18:58 UTC

This was obsoleted by Bug 765516 in the end.