~sircmpwn/aerc

6 3

fedora deps: dante-utils

Yuri Kochnev <ikk6@pitt.edu>
Details
Message ID
<fa202b53add7b4618f064f6883c846d5770c5506.camel@pitt.edu>
DKIM signature
missing
Download raw message
Hello, aerc team!
Fedora 34 seems to be missing dante-utils package. Trying to display
html messages fails with the following:
/usr/share/aerc/filters/html: line 5: exec: socksify: not found
Any advice please?
Best regards,
Yuri
Details
Message ID
<CFEP78AVFO34.3RUS9QOQC6QJC@scmlaptop>
In-Reply-To
<fa202b53add7b4618f064f6883c846d5770c5506.camel@pitt.edu> (view parent)
DKIM signature
missing
Download raw message
On Mon 1 Nov, 2021 at 11:53 PDT, Yuri Kochnev wrote:
> Trying to display html messages fails with the following:
> /usr/share/aerc/filters/html: line 5: exec: socksify: not found

Socksify is a nice tool to prevent unwanted internet loads from HTML emails, but it's certainly not _required_.

You can copy /usr/share/aerc/filters/html to, say ~/.config/aerc/filters/html, remove socksify and SOCKS_SERVER from it (e.g. run w3m directly), and then tell aerc to use that filter instead (aerc.conf#filters).

---

Seán C McCord
ulexus@gmail.com
PGP/GPG: https://keys.openpgp.org/vks/v1/by-fingerprint/D9C871CCDEBD2C7A23D83041798DDA5251824DEA
Details
Message ID
<CFEQM1WDNBDX.WNSKVJG2YNDW@diabtop>
In-Reply-To
<fa202b53add7b4618f064f6883c846d5770c5506.camel@pitt.edu> (view parent)
DKIM signature
missing
Download raw message
Patch: +2 -3
Yuri Kochnev, Nov 01, 2021 at 19:53:
> Fedora 34 seems to be missing dante-utils package. Trying to display
> html messages fails with the following:
> /usr/share/aerc/filters/html: line 5: exec: socksify: not found
> Any advice please?

Hi Yuri,

The socksify command is not a hard requirement. You could add a Fedora
patch to remove it from the filter script.

diff --git a/filters/html b/filters/html
index db7808ac1cb4..99453715db6b 100755
--- a/filters/html
+++ b/filters/html
@@ -1,8 +1,7 @@
#!/bin/sh
# aerc filter which runs w3m using socksify (from the dante package) to prevent
# any phoning home by rendered emails
# aerc filter which runs w3m
export SOCKS_SERVER="127.0.0.1:1"
exec socksify w3m \
exec w3m \
       -T text/html \
       -cols $(tput cols) \
       -dump \

-- 
Robin
Alois Mahdal <netvor@vornet.cz>
Details
Message ID
<20220109225344.1489223f@singletop>
In-Reply-To
<CFEQM1WDNBDX.WNSKVJG2YNDW@diabtop> (view parent)
DKIM signature
missing
Download raw message
Hi,

I stumbled upon this as well.  I understand it's not required and one
could avoid it, but wouldn't that be a security risk?  I.e. wouldn't it
allow malicious HTML e-mails "call home"?

What would be alternative solution?

I don't know enough about networking; all I can think of for now is
running w3m in podman with networking disabled, but that's probably an
overkill..

Thanks,
aL.


-- 
Alois Mahdal <netvor@vornet.cz>
IRC (netvor at LiberaChat): #shellfu, #starapekarna
WWW: https://netvor.info/
Alois Mahdal <netvor@vornet.cz>
Details
Message ID
<20220110000246.77fe05b9@singletop>
In-Reply-To
<CFEQM1WDNBDX.WNSKVJG2YNDW@diabtop> (view parent)
DKIM signature
missing
Download raw message
> I don't know enough about networking; all I can think of for now is
> running w3m in podman with networking disabled, but that's probably an
> overkill..

For those crazy enough to want to try this, here's how I did it:

w3m.Dockerfile:

    FROM alpine
    RUN apk add w3m

Then run:

    IMG_ID=$(podman build -f w3m.Dockerfile .)
    podman tag "$IMG_ID" w3m

The filter script is then:

    #!/usr/bin/sh
    # aerc filter which runs w3m in container with network disabled
    exec podman run --network none -i --rm w3m:latest w3m \
        -T text/html \
        -cols "$(tput cols)" \
        -dump \
        -o display_image=false \
        -o display_link_number=true

but as I said, this is crazy overkill -- there's a noticeable lag
when opening the e-mail part.

Thanks,
aL.

PS: Sadly, for many multi-part messages, rendering html via
w3m gives better results than the text/plain provided by
sender.

-- 
Alois Mahdal <netvor@vornet.cz>
IRC (netvor at LiberaChat): #shellfu, #starapekarna
WWW: https://netvor.info/
Details
Message ID
<CH1V6AGFW1AA.3U0K4KKUYD63K@diabtop>
In-Reply-To
<20220109225344.1489223f@singletop> (view parent)
DKIM signature
missing
Download raw message
Hi Alois,

Alois Mahdal, Jan 09, 2022 at 22:53:
> I stumbled upon this as well.  I understand it's not required and one
> could avoid it, but wouldn't that be a security risk?  I.e. wouldn't it
> allow malicious HTML e-mails "call home"?

Not more than with graphic email clients that directly render HTML.

> What would be alternative solution?

For the record, I am using this instead of w3m:

[filters]
text/html=html2text --wrap-list-items --no-automatic-links --unicode-snob --reference-links --ignore-images --ignore-tables --mark-code

Source: https://github.com/Alir3z4/html2text

This is not a complete HTML engine and it is guaranteed not to perform
any network operations.

Maybe I should update the default html filter provided as an example and
remove any w3m+socksify voodoo. I would personally prefer not to add any
external dependency by default however. I'll have to think some more
about that.

> I don't know enough about networking; all I can think of for now is
> running w3m in podman with networking disabled, but that's probably an
> overkill..

Probably :D
Alois Mahdal <netvor@vornet.cz>
Details
Message ID
<CH1X7YOJNN5Z.15JDQZJO6WN8S@singletop.brq.redhat.com>
In-Reply-To
<CH1V6AGFW1AA.3U0K4KKUYD63K@diabtop> (view parent)
DKIM signature
missing
Download raw message
Hi Robin,

On Mon Jan 10, 2022 at 9:50 AM CET, Robin Jarry wrote:
> Hi Alois,
>
> Alois Mahdal, Jan 09, 2022 at 22:53:
> > I stumbled upon this as well.  I understand it's not required and one
> > could avoid it, but wouldn't that be a security risk?  I.e. wouldn't it
> > allow malicious HTML e-mails "call home"?
>
> Not more than with graphic email clients that directly render HTML.

Don't know about that.

For all I know, any other e-mail clients could be doing the same thing,
ie. calling (bundled) w3m or similar, just taking care of the
sanitization *somehow*... (This is where I inevitably sound naiive.)

I would love for aerc to do the best possible thing here, so that I can
recommend it as, among other things, the true "de-html-crapifier" it
deserves to be.


> > What would be alternative solution?
>
> For the record, I am using this instead of w3m:
>
> [filters]
> text/html=html2text --wrap-list-items --no-automatic-links
> --unicode-snob --reference-links --ignore-images --ignore-tables
> --mark-code
>
> Source: https://github.com/Alir3z4/html2text
>
> This is not a complete HTML engine and it is guaranteed not to perform
> any network operations.

Thanks, I will check this out.

I will be keeping eye on this and maybe send patch if I stumble upon
a trick like that.


> Maybe I should update the default html filter provided as an example and
> remove any w3m+socksify voodoo. I would personally prefer not to add any
> external dependency by default however. I'll have to think some more
> about that.

I'll see how html2text does.  So far I really like w3m.

You don't need to add the dependency, It's ok to just mention it in
the config doc.   (At least on Fedora, w3m is not a dependency on aerc
and that's perfectly fine.)


> > I don't know enough about networking; all I can think of for now is
> > running w3m in podman with networking disabled, but that's probably an
> > overkill..
>
> Probably :D

Yeah, I replaced a voodoo with a bigger voodoo :D

aL.
Reply to thread Export thread (mbox)