send: avoid leaking bcc addresses to all recipients

Depending on the provider/backend which is sending the email, the Bcc headers may or may not be stripped. Make sure to remove them from aerc before sending (and optionally copying) the message. Add an accounts.conf option to preserve them if needed. Fixes: https://todo.sr.ht/~rjarry/aerc/283 Changelog-fixed: Some SMTP servers do not strip `Bcc` headers. aerc now removes them before sending emails to avoid leaking private information. A new `strip-bcc = false` option can be used in `accounts.conf` to revert to previous behaviour (preserve _Bcc_ headers in outgoing messages). Signed-off-by: Robin Jarry <[email protected]> Reviewed-by: Diederik de Haas <[email protected]>
rjarry · Dec 19, 2024 · 6512eb2 · 6512eb2
1 parent 1899b12
commit 6512eb2
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/commands/compose/send.go b/commands/compose/send.go
@@ -106,6 +106,11 @@ func (s Send) Execute(args []string) error {
 		return errors.New("Cannot send message with no recipients")
 	}
 
+	if config.StripBcc {
+		// Do NOT leak Bcc addresses to all recipients.
+		header.Del("Bcc")
+	}
+
 	uri, err := url.Parse(outgoing)
 	if err != nil {
 		return errors.Wrap(err, "url.Parse(outgoing)")

diff --git a/config/accounts.go b/config/accounts.go
@@ -99,6 +99,7 @@ type AccountConfig struct {
 	Archive           string          `ini:"archive" default:"Archive"`
 	CopyTo            string          `ini:"copy-to"`
 	CopyToReplied     bool            `ini:"copy-to-replied" default:"false"`
+	StripBcc          bool            `ini:"strip-bcc" default:"true"`
 	Default           string          `ini:"default" default:"INBOX"`
 	Postpone          string          `ini:"postpone" default:"Drafts"`
 	From              *mail.Address   `ini:"from"`

diff --git a/doc/aerc-accounts.5.scd b/doc/aerc-accounts.5.scd
@@ -59,6 +59,16 @@ Note that many of these configuration options are written for you, such as
 
 	Default: _false_
 
+*strip-bcc* = _true_|_false_
+	Strip _Bcc_ headers before sending emails. This also affects local
+	copies of the sent messages (*copy-to* and *copy-to-replied*).
+
+	Some email providers/backends automatically strip _Bcc_ headers before
+	dispatching the messages to recipients. Double check before setting this
+	to _false_ to avoid leaking any private information.
+
+	Default: _true_
+
 *default* = _<folder>_
 	Specifies the default folder to open in the message list when aerc
 	configures this account.