GitLab

There's been "something" at Freenode. I don't neccessarily understand
all the details, but when Gentoo announced a channel takeover, that's
enough for me to get going.

Change-Id: I19075916a1bb58409b1544ee95b656e1a1366a2a

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

Change-Id: I0ce5ff9664f6c276cee30621d64715fb0b032b07

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

The code tried to be smart when reading the user-provided CSS from the
disk, only re-interpreting it if the file's timestamp changed. I think
it's probably not critical to optimize that, but that commit
(af2c4f34) was still correct.

Stuff changed when I did 5d3696a6, ddbbcf05. With these commits and
when using a user-provided CSS, the message viewer would no longer use
correct colors for the quote indicator because that call to
QString::arg() for replacing the %1 and %2 placeholders was undone by
reinitialization of that variable from the defaultStylesheet.

Fix this by simplifying the logic at the cost of some extra disk IO.
Hey, we're invoking a full blown HTML viewer, let's not optimize stuff
that's not in a hotspot.

Change-Id: Ic399b49c9f6f73fb3da9bff04ddb0d7646e317cf

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

Change-Id: I411cb5a369a6b2a00fac4c1bbbafefd1ec3166ca

Thanks to Jens Mueller (Ruhr-Uni Bochum and FH Münster) for reporting
this. The gist is that an attacker can embed arbitrary ciphertext into
their messages. Trojita decrypts that, and when we hit reply, the
original *cleartext* gets quoted and put into a reply for the attacker
to see.

Fix this by not quoting any plaintext which originated in an encrypted
message. That's pretty draconian, but hey, it works and we never came up
with any better patch. Also, given that Trojita does not encrypt
outgoing messages yet, this is probably also a conservative thing to do.

Change-Id: I84c45b9e707eb7c99eb7183c6ef59ef41cd62c43
CVE: CVE-2019-10734
BUG: 404697

Change-Id: I8e99072a998e5630806ff2877329d1b0c36297ec

Nobody was maintaining the binary builds anymore so I removed the
project from OBS. The nightly builds for Windows appear to be
unavailable for quite some time as well. Add a note saying that the
prebuilt binaries are no longer available. OBS, thanks for the fish.
Discussed with jkt.

Change-Id: Ie152d9f1d32fe5ad7b1a1f160e6b7f76b680966f

This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5
which added initial, experimental support for SMTP message submission,
we have apparently never implemented proper SSL/TLS error handling, and
the code has ever since just kept silently ignoring any certificate
verification errors.  As a result, Trojita was susceptible to a MITM
attack when sending e-mails. The information leaked include user's
authentication details, including the password, and the content of sent
messages.

Sorry for this :(.

Now, this patch re-enabes proper TLS error handling. It was not possible
to directly re-use our code for TLS key pinning which we are using for
IMAP connections. In the Qt TLS code, the decision to accept or not
accept a TLS connection is a blocking one, so the IMAP code relies upon
the protocol state machine (i.e., another layer) for deciding whether to
use or not to use the just-established TLS connection. Implementing an
equivalent code in the SMTP library would be nice, but this hot-fix has
a priority. As a result, SMTP connections to hosts with, e.g.,
self-signed TLS certs, are no longer possible. Let's hope that this is
not a practical problem with Lets Encrypt anymore.

Thanks to Damian Poddebniak for reporting this bug.

Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37
CVE: CVE-2020-15047
BUG: 423453

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

Use QCommandLineParser for that. A couple of behavior changes:
 * Profile names starting with a '-' are now allowed.
 * Specifying an URL that doesn't start with "mailto:" is now an
   error.
 * The feature to activate debug traffic logging to disk may now be
   enabled by specifying -l in addition to --log-to-disk.
 * Specifying -p multiple times is not an error anymore; the value
   specified last is used.

As a result of using a real command line argument parser, we may now
combine arguments when invoking trojita, e.g. trojita -lp work.

While there, slightly reword some text.

Change-Id: Ic97470837b530ed60e54f513eb4b834a3a6a4f39

Change-Id: Ie28d484825fc0f4be962a8a98ed51b5d973219a1

QPainterPath is no longer included via qtransform.h (since
5.15.0-beta2, 50d2acdc93b4de2ba56eb67787e2bdcb21dd4bea in qtbase.git).

Change-Id: Ibb59e769bba8514d86aa886afee26a2395d458ef

Turns out we've been happily deleting network replies from the
QNetworkReply::finished(). That was never a good thing to do, but it did
not use to crash with older Qt. Now it does.

After changing to deleteLater(), there's a window for
already-deregistered replies to generate events, therefore the assert
has to go, too, otherwise Bad Things happen:

 (gdb) bt
 #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 #1

  0x00007ffff16bdcd2 in __GI_abort () at abort.c:89
 #2  0x00007ffff2400bcb in qt_message_fatal (context=..., message=<synthetic pointer>...) at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qlogging.cpp:1904
 #3  QMessageLogger::fatal (this=this@entry=0x7fffffffc990, msg=msg@entry=0x7ffff2690b10 "ASSERT: \"%s\" in file %s, line %d") at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qlogging.cpp:888
 #4  0x00007ffff23fff7c in qt_assert (assertion=assertion@entry=0x5555558451d7 "reply", file=file@entry=0x555555841a38 "/home/jkt/work/prog/trojita/src/Imap/Network/FileDownloadManager.cpp", line=line@entry=142)
     at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/global/qglobal.cpp:3247
 #5  0x00005555555da840 in Imap::Network::FileDownloadManager::onPartDataTransfered (this=0x555556a20990)
 #6  0x00007ffff25f1bdf in QtPrivate::QSlotObjectBase::call (a=0x7fffffffcaa0, r=0x555556a20990, this=0x5555569f99c0) at ../../include/QtCore/../../../qtcore-5.13.9999/src/corelib/kernel/qobjectdefs_impl.h:394
 #7  QMetaObject::activate(QObject*, int, int, void**) () at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/kernel/qobject.cpp:3787
 #8  0x00007ffff25f20b7 in QMetaObject::activate (sender=sender@entry=0x555556a21370, m=m@entry=0x7ffff3f96b00 <QNetworkReply::staticMetaObject>, local_signal_index=local_signal_index@entry=1, argv=argv@entry=0x0)
     at /var/tmp/portage/dev-qt/qtcore-5.13.9999/work/qtcore-5.13.9999/src/corelib/kernel/qobject.cpp:3658
 #9  0x00007ffff3d3cbf3 in QNetworkReply::finished (this=this@entry=0x555556a21370) at .moc/moc_qnetworkreply.cpp:385
 #10 0x0000555555709485 in Imap::Network::MsgPartNetworkReply::slotMyDataChanged() () at /home/jkt/work/prog/trojita/src/Imap/Network/MsgPartNetworkReply.cpp:112

BUG: 417697
Reported-by: Stefan de Konink <stefan@konink.de>
Change-Id: I79f340c5a471430a14474472513d0a055c7238d6

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"

In case of conflict in i18n, keep the version of the branch "ours"
To resolve a particular conflict, "git checkout --ours path/to/file.desktop"