xdg-email changes break simple-scan email functionality

There is an old similar bug, #1540399, yet it is unclear how it relates with the current one.

https://bugs.launchpad.net/ubuntu/+source/xdg-utils/+bug/1540399

This is different to the old bug. Prior to the recent change to xdg-email, simple scan "send by email" was working fine.

I think that the problem is because xdg-email assembles command line arguments such as -attach to form a mailto: URL and passes that to run_thunderbird, which recently got changed to drop the attachment field from the mailto: url (I think on the assumption that the mailto: url could only come from a browser click).

The proper fix would probably be to break any command line mailto: URL down into component parts and drop any "attach" argument before reassembling as today, and reinstate the code removed in the recent change.

In the above simple-scan bug report I added a patch which just reinstated the original code but only if the caller is not Chrome/Chromium as those are the only browsers in question in my environment (Firefox appears to call Thunderbird directly).

Status changed to 'Confirmed' because the bug affects multiple users.

I'll revert that patch/update and issue a new one asap.
Thanks

Hi,
There are new version of this package in security-proposed [1] with the patch/update reverted, feel free to test it/check if the functionality is back. thanks

[1]https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xdg-utils&field.status_filter=published&field.series_filter=

https://ubuntu.com/security/notices/USN-4649-2

I'm using claws-mail, and it is broken too.

I tried the updated version of a package. It is still broken.

hi @Dik, could you please provide the package, the release and version. Also, any steps in how to reproduce.

In regarding xdg-utils the whole patch was reverted/delete, so I don't see how it can be related.

$ dpkg-query -s xdg-utils
Package: xdg-utils
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 320
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Multi-Arch: foreign
Version: 1.1.3-2ubuntu1.20.04.2

$ dpkg-query -s claws-mail
Package: claws-mail
Status: install ok installed
Priority: optional
Section: mail
Installed-Size: 4280
Maintainer: Ubuntu Developers <email address hidden>
Architecture: amd64
Multi-Arch: foreign
Version: 3.17.5-2

$xdg-email --attach Documents/file.jpg

claws-mail reports "File P\ doesn't exist or permission denied". Moreover, when I try to send from simple-scan, the same error occurs + opens browser dillo with a URL "mailto:?filename=xxxxxx.pdf"

I mean the URL of dillo is: mailto:?attach=/tmp/simple-scan-IMU3W0/scan.pdf

I did tried in my focal VM with both xdg-utils and claws-mail and it worked here (see attached image). In claws it opened a gtk stuff, with settings steps and a window with the message to be composed and the attached file.

Maybe someone else in this bug/thread has any idea what is happening.
As the security update was already reverted I don't see any ways it can be security related with the sec update.

It seems another error in claws-mail, not related to the xdg-utils
vulnerability. Please file a separate bug against the claws-mail
package. I ran "xdg-email --attach test.txt <email address hidden>" via
strace and had the following in the terminal.

ubuntu@ubuntu:~$ LANG=C.UTF-8 apt-cache policy xdg-utils claws-mail
xdg-utils:
  Installed: 1.1.3-2ubuntu1.20.04.2
  Candidate: 1.1.3-2ubuntu1.20.04.2
  Version table:
 *** 1.1.3-2ubuntu1.20.04.2 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.3-2ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
claws-mail:
  Installed: 3.17.5-2
  Candidate: 3.17.5-2
  Version table:
 *** 3.17.5-2 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

ubuntu@ubuntu:~$ echo qwerty >test.txt
ubuntu@ubuntu:~$ strace -s 256 -f -qq -e 'trace=%process' -e 'signal=!all' -P `which claws-mail` env LANG=C.UTF-8 xdg-email --attach test.txt <email address hidden>
execve("/usr/bin/claws-mail", ["claws-mail", "mailto:<email address hidden>?attach=/home/ubuntu/test.txt"], 0x555673c99df0 /* 51 vars */) = 0
Gtk-Message: 19:53:06.153: Failed to load module "canberra-gtk-module"
/home/ubuntu/.claws-mail/toolbar_compose.xml: fopen: No such file or directory

(claws-mail:6012): Claws-Mail-WARNING **: 19:53:06.754: can't open signature file: '/home/ubuntu/.signature'
ubuntu@ubuntu:~$

I had changed default mail application to Claws Mail. It displayed a
strange error message, "File Reply-To: doesn't exist or permission
denied". See my attached screenshot.

On Tue, 2021-01-12 at 17:30 +0000, Dik wrote:
> claws-mail reports "File P\ doesn't exist or permission denied".
> Moreover, when I try to send from simple-scan, the same error occurs +
> opens browser dillo with a URL "mailto:?filename=xxxxxx.pdf"

Please also keep in mind that xdg-email behaves differently depending on
the XDG_CURRENT_DESKTOP environment variable. Which DE do you use? You
can find out what command is actually executed using "bash -x" or even
strace. And note, with running browser, there is another upstream issue.

  https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/13

Or more precisely, it is a merge request.

XDG_CURRENT_DESKTOP is set to i3, But under MATE I have this problem too.

I figured out, that claws-mail cant handle the command

claws-mail --compose "mailto:?attach=/home/dik/tmp/file.key"

seems, that support of attach was removed from thunderbird and claws-mail of security reasons. So xdg-email needs to change the command line to invoke an e-mail-Program

@dikiy-evrej I don't think that the recent change was in Thunderbird. The recent change here was to drop the attach= parameter from the mailto URL passed to Thunderbird, so that if you click a malicious mailto link in e.g. Chrome, it can't trick you into sending arbitrary files.

Problem was that xdg-email parses its command line arguments - supplied by e.g. simple-scan - and converts them to a mailto URL with attach= parameter - which it then drops before calling TB.

My hack in the simple-scan bug above is to only drop the attach parameter if the caller is Chrome or Chromium as those are the browsers used in my environment, but a better fix is required...

Have verified that on 16.04, simple-scan to email now works again following the reversion of the original fix.

And 18.04? (focal)

Just tested claws-mail 3.17.8 -- it works. But 3.17.5 -- doesn't. So, seems to be a problem in claws-mail

I don't have an 18.04 to test but 20.04 is OK with Thunderbird again.

I have the same problem on 20.04 LTS (fully updated).
xdg-email --subject SUBJ --attach HAR.pdf
gives:
/home/mbm/.claws-mail/mimetmp/.comments: unlink: Is a directory

** (claws-mail:10611): WARNING **: 15:50:25.346: failed to convert encoding of file name: Invalid byte sequence in conversion input

If the fix to xdg-utils works in claws-mail 3.17.8 , can that be back-ported to 20.04 LTS, please?

I'm also having the same issue with xdg-utils 1.1.3-4ubuntu1 on 22.04, using thunderbird 91.9.1

using:
xdg-email --attach filename

does open the thunderbird compose window, but no attachment...

Tried on 3 different computers, same result.

Update: xdg-utils 1.1.3-4.1ubuntu1.22.04.1 seems to have fixed this. Tried on another computer and it works as expected. Went back then to the other 3, updated them and still had no luck... however I tried switching preferred email program to evolution, it worked! Changed back to Thunderbird, and voila! It works as expected...