Merge branch 'CVE-2019-10732' into Applications/19.04

Fixes the CVE-2019-10732, with additional tests, to make sure, we fixed
the CVE completely.

FIXED-IN: 5.11.2
BUG: 404698
CCMAIL: security@kde.org

mimetreeparser/autotests/data/openpgp-inline-multiple.mbox

@@ -0,0 +1,51 @@
+Subject: Testcase 'reply-decrytion-oracle' (PGP INLINE)
+To: brucewayne45@web.de
+From: brucewayne45@web.de
+MIME-Version: 1.0
+Content-Type: text/plain
+
+Please reply to this message
+.
+.
+.
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf7BxmM0vO8nG37hKqoqOHb35JqprJM+sqF7JFmrsuWe6V2
+PAyyE2wdtq+AhvXjVnggxYLwU+DEFpBTmWr1rsanyV8hWXRbecfN/9gN/4/N9y7Z
+XSx2OeE/uA5z8Kz5vrv/ywMqcVHjB5MQPTcLC2Zlg8MVltpriy6mdAkON4I3t7kl
+j9uwQRY7HeKvsib63HWnYAOV/fYPXXor/lioeYIll08uuCiTh3Z9fEhXQI/az5Ft
+e/xa70xGqviux+OvhoNUSZspzl7vK7e/NTBlC+LF1zVXUXT8prrd+ZFNwKvtn0Hl
+W4KfNqTM9TJB8vpE5FWnH6+B365ZvxZopZ5F/9szp9JGAUCNdX5WujBreg7nTLui
+UrnDNwOvjvsE/gsoO3n3jARK+Tu8PfUl8V1bHiCeGJz/mkA9uGJ/IApcT4rYsoHB
+nVQjW1NJ6A==
+=zrF/
+-----END PGP MESSAGE-----
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MCqjMjAB80hAMAHfa7bdk/6L4DJQBQn+zHRv6oYzzYFC
+8l79DDIE2uorQNFj1ZBw5+pi7+/2QmAANnG2ug5W0HRphg2WPXTUswy5H+mg08PM
+MXRsP9lX5pAXEbLZVp61tvOQHnO/ltBhHHBwRaIq2tiirUUhy5erqLwlkSyN8xHM
+Bh0u/dIJw7ewMk0l3BtF/GuP7l6PtUxT7P0Vwit4h1FV1bc9mSFmBNN16dvixJ4l
+jK0mYEqT97SNZpg0MPOxx8E3xuJptzea4qmACv5zx4gYHlZRM0ZlKNqffmRauWOe
+pDCjZv2F1IUJOg28NzZhKCBVhmhBmP1VmLNYFKGAsNJHAV+3uN2YYWzbhoOJAE0N
+UxLI0EQN4y7OkAnGiRH45HygLxAjTk6dPiP5OD9OhUnSqofAjajlmqzfAAVMxY1a
+epnRKPsnCZU=
+=dqBN
+-----END PGP MESSAGE-----
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MNDSEBVsF78knI+uirDbLSLrHicrXExTocmXr2DZOggI
+zMYCAHyg7ohINA40/8ZuR0bC9h6qCZjjhR+VFe2edRFshXlbuzykjpXNYcSv61Sm
+9TAVpgAExzS5VhAxYIJ6+zWJR8+hgv63oREZPWlJ23utBDAMkEeY7cga3wn1HZMZ
+g4XQZ94a8s9s/I+s3dLOdHGdxw+hmSnxjMhI6TMcZV/Kvr1MkkW10N0h0+hiuq2O
+4owEztpm4See8fCkRfhr0TO+a8ElCtIXjVwqeB0tQh0fU3QaaNiDXYawoFMQXG8N
+nwCP92glfOeAvJn9KuLwO3ee+WKwcrJhsFRMmjziDdJGAUvptVDNrk2P/0fzo/Xl
+ypmw8zhir6ch+4C2+5yFCtVSmC+3Y7+NQ4YE4AR/z5rGvA1lxclulU1DSGkhFTbJ
+XEVyg8o23A==
+=Bs3d
+-----END PGP MESSAGE-----
+
+whoo three encrypted parts inside.

mimetreeparser/autotests/data/openpgp-inline-multiple.mbox.html

@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF8"?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+  <body>
+    <div style="position: relative; word-wrap: break-word">
+      <a name="att"/>
+      <div id="attachmentDiv">
+        <div class="noquote">
+          <div dir="ltr">Please reply to this message</div>
+          <div dir="ltr">.</div>
+          <div dir="ltr">.</div>
+          <div dir="ltr">.</div>
+          <br/>
+        </div>
+        <table cellspacing="1" cellpadding="1" class="encr">
+          <tr class="encrH">
+            <td dir="ltr">
+              <div class="enc-simple">Encrypted message<a href="kmail:showEncryptionDetails" style="display:block;float:right;">Show Details</a></div>
+            </td>
+          </tr>
+          <tr class="encrB">
+            <td>
+              <div class="noquote">
+                <div dir="ltr">first part</div>
+              </div>
+            </td>
+          </tr>
+          <tr class="encrH">
+            <td dir="ltr">End of encrypted message</td>
+          </tr>
+        </table>
+        <table cellspacing="1" cellpadding="1" class="encr">
+          <tr class="encrH">
+            <td dir="ltr">
+              <div class="enc-simple">Encrypted message<a href="kmail:showEncryptionDetails" style="display:block;float:right;">Show Details</a></div>
+            </td>
+          </tr>
+          <tr class="encrB">
+            <td>
+              <div class="noquote">
+                <div dir="ltr">second part</div>
+              </div>
+            </td>
+          </tr>
+          <tr class="encrH">
+            <td dir="ltr">End of encrypted message</td>
+          </tr>
+        </table>
+        <table cellspacing="1" cellpadding="1" class="encr">
+          <tr class="encrH">
+            <td dir="ltr">
+              <div class="enc-simple">Encrypted message<a href="kmail:showEncryptionDetails" style="display:block;float:right;">Show Details</a></div>
+            </td>
+          </tr>
+          <tr class="encrB">
+            <td>
+              <div class="noquote">
+                <div dir="ltr">third part</div>
+              </div>
+            </td>
+          </tr>
+          <tr class="encrH">
+            <td dir="ltr">End of encrypted message</td>
+          </tr>
+        </table>
+        <div class="noquote">
+          <div dir="ltr">whoo three encrypted parts inside.</div>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>

mimetreeparser/autotests/data/openpgp-inline-multiple.mbox.tree

@@ -0,0 +1,7 @@
+ * MimeTreeParser::MessagePartList
+  * MimeTreeParser::TextMessagePart
+   * MimeTreeParser::MessagePart
+   * MimeTreeParser::EncryptedMessagePart
+   * MimeTreeParser::EncryptedMessagePart
+   * MimeTreeParser::EncryptedMessagePart
+   * MimeTreeParser::MessagePart

mimetreeparser/src/messagepart.cpp

@@ -482,6 +482,11 @@ QString HtmlMessagePart::text() const
     return mBodyHTML;
 }
 
+QString MimeTreeParser::HtmlMessagePart::plaintextContent() const
+{
+    return QString();
+}
+
 bool HtmlMessagePart::isHtml() const
 {
     return true;

mimetreeparser/src/messagepart.h

@@ -234,6 +234,7 @@ class MIMETREEPARSER_EXPORT HtmlMessagePart : public MessagePart
     ~HtmlMessagePart() override;
 
     QString text() const override;
+    QString plaintextContent() const override;
 
     void fix() const override;
     bool isHtml() const override;

templateparser/autotests/data/404698-gpg-attachments.mbox

@@ -0,0 +1,72 @@
+Subject: Testcase 'reply-mix-crlf' (PGP/MIME HTML)
+To: brucewayne45@web.de
+From: brucewayne45@web.de
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="BOUNDARY"
+
+--BOUNDARY
+Content-Type: text/plain
+
+Please reply to this message
+.
+.
+.
+
+
+--BOUNDARY
+Content-Type: text/plain; name="text1.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf7BxmM0vO8nG37hKqoqOHb35JqprJM+sqF7JFmrsuWe6V2
+PAyyE2wdtq+AhvXjVnggxYLwU+DEFpBTmWr1rsanyV8hWXRbecfN/9gN/4/N9y7Z
+XSx2OeE/uA5z8Kz5vrv/ywMqcVHjB5MQPTcLC2Zlg8MVltpriy6mdAkON4I3t7kl
+j9uwQRY7HeKvsib63HWnYAOV/fYPXXor/lioeYIll08uuCiTh3Z9fEhXQI/az5Ft
+e/xa70xGqviux+OvhoNUSZspzl7vK7e/NTBlC+LF1zVXUXT8prrd+ZFNwKvtn0Hl
+W4KfNqTM9TJB8vpE5FWnH6+B365ZvxZopZ5F/9szp9JGAUCNdX5WujBreg7nTLui
+UrnDNwOvjvsE/gsoO3n3jARK+Tu8PfUl8V1bHiCeGJz/mkA9uGJ/IApcT4rYsoHB
+nVQjW1NJ6A==
+=zrF/
+-----END PGP MESSAGE-----
+
+--BOUNDARY
+Content-Type: text/plain; name="text2.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MCqjMjAB80hAMAHfa7bdk/6L4DJQBQn+zHRv6oYzzYFC
+8l79DDIE2uorQNFj1ZBw5+pi7+/2QmAANnG2ug5W0HRphg2WPXTUswy5H+mg08PM
+MXRsP9lX5pAXEbLZVp61tvOQHnO/ltBhHHBwRaIq2tiirUUhy5erqLwlkSyN8xHM
+Bh0u/dIJw7ewMk0l3BtF/GuP7l6PtUxT7P0Vwit4h1FV1bc9mSFmBNN16dvixJ4l
+jK0mYEqT97SNZpg0MPOxx8E3xuJptzea4qmACv5zx4gYHlZRM0ZlKNqffmRauWOe
+pDCjZv2F1IUJOg28NzZhKCBVhmhBmP1VmLNYFKGAsNJHAV+3uN2YYWzbhoOJAE0N
+UxLI0EQN4y7OkAnGiRH45HygLxAjTk6dPiP5OD9OhUnSqofAjajlmqzfAAVMxY1a
+epnRKPsnCZU=
+=dqBN
+-----END PGP MESSAGE-----
+
+
+--BOUNDARY
+Content-Type: text/plain; name="text3.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MNDSEBVsF78knI+uirDbLSLrHicrXExTocmXr2DZOggI
+zMYCAHyg7ohINA40/8ZuR0bC9h6qCZjjhR+VFe2edRFshXlbuzykjpXNYcSv61Sm
+9TAVpgAExzS5VhAxYIJ6+zWJR8+hgv63oREZPWlJ23utBDAMkEeY7cga3wn1HZMZ
+g4XQZ94a8s9s/I+s3dLOdHGdxw+hmSnxjMhI6TMcZV/Kvr1MkkW10N0h0+hiuq2O
+4owEztpm4See8fCkRfhr0TO+a8ElCtIXjVwqeB0tQh0fU3QaaNiDXYawoFMQXG8N
+nwCP92glfOeAvJn9KuLwO3ee+WKwcrJhsFRMmjziDdJGAUvptVDNrk2P/0fzo/Xl
+ypmw8zhir6ch+4C2+5yFCtVSmC+3Y7+NQ4YE4AR/z5rGvA1lxclulU1DSGkhFTbJ
+XEVyg8o23A==
+=Bs3d
+-----END PGP MESSAGE-----
+
+--BOUNDARY
+
+whoo three encrypted parts inside.
+
+--BOUNDRY--

templateparser/autotests/data/404698-gpg-attachments.mbox.forwarded.mbox

@@ -0,0 +1,66 @@
+Subject: Testcase 'reply-mix-crlf' (PGP/MIME HTML)
+To: brucewayne45@web.de
+From: brucewayne45@web.de
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="BOUNDARY"
+
+--BOUNDARY
+Content-Type: text/plain
+
+Please reply to this message
+.
+.
+.
+
+
+--BOUNDARY
+Content-Type: text/plain; name="text1.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf7BxmM0vO8nG37hKqoqOHb35JqprJM+sqF7JFmrsuWe6V2
+PAyyE2wdtq+AhvXjVnggxYLwU+DEFpBTmWr1rsanyV8hWXRbecfN/9gN/4/N9y7Z
+XSx2OeE/uA5z8Kz5vrv/ywMqcVHjB5MQPTcLC2Zlg8MVltpriy6mdAkON4I3t7kl
+j9uwQRY7HeKvsib63HWnYAOV/fYPXXor/lioeYIll08uuCiTh3Z9fEhXQI/az5Ft
+e/xa70xGqviux+OvhoNUSZspzl7vK7e/NTBlC+LF1zVXUXT8prrd+ZFNwKvtn0Hl
+W4KfNqTM9TJB8vpE5FWnH6+B365ZvxZopZ5F/9szp9JGAUCNdX5WujBreg7nTLui
+UrnDNwOvjvsE/gsoO3n3jARK+Tu8PfUl8V1bHiCeGJz/mkA9uGJ/IApcT4rYsoHB
+nVQjW1NJ6A==
+=zrF/
+-----END PGP MESSAGE-----
+
+--BOUNDARY
+Content-Type: text/plain; name="text2.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MCqjMjAB80hAMAHfa7bdk/6L4DJQBQn+zHRv6oYzzYFC
+8l79DDIE2uorQNFj1ZBw5+pi7+/2QmAANnG2ug5W0HRphg2WPXTUswy5H+mg08PM
+MXRsP9lX5pAXEbLZVp61tvOQHnO/ltBhHHBwRaIq2tiirUUhy5erqLwlkSyN8xHM
+Bh0u/dIJw7ewMk0l3BtF/GuP7l6PtUxT7P0Vwit4h1FV1bc9mSFmBNN16dvixJ4l
+jK0mYEqT97SNZpg0MPOxx8E3xuJptzea4qmACv5zx4gYHlZRM0ZlKNqffmRauWOe
+pDCjZv2F1IUJOg28NzZhKCBVhmhBmP1VmLNYFKGAsNJHAV+3uN2YYWzbhoOJAE0N
+UxLI0EQN4y7OkAnGiRH45HygLxAjTk6dPiP5OD9OhUnSqofAjajlmqzfAAVMxY1a
+epnRKPsnCZU=
+=dqBN
+-----END PGP MESSAGE-----
+
+
+--BOUNDARY
+Content-Type: text/plain; name="text3.txt"
+Content-Disposition: inline
+
+-----BEGIN PGP MESSAGE-----
+
+hQEMAwzOQ1qnzNo7AQf+MNDSEBVsF78knI+uirDbLSLrHicrXExTocmXr2DZOggI
+zMYCAHyg7ohINA40/8ZuR0bC9h6qCZjjhR+VFe2edRFshXlbuzykjpXNYcSv61Sm
+9TAVpgAExzS5VhAxYIJ6+zWJR8+hgv63oREZPWlJ23utBDAMkEeY7cga3wn1HZMZ
+g4XQZ94a8s9s/I+s3dLOdHGdxw+hmSnxjMhI6TMcZV/Kvr1MkkW10N0h0+hiuq2O
+4owEztpm4See8fCkRfhr0TO+a8ElCtIXjVwqeB0tQh0fU3QaaNiDXYawoFMQXG8N
+nwCP92glfOeAvJn9KuLwO3ee+WKwcrJhsFRMmjziDdJGAUvptVDNrk2P/0fzo/Xl
+ypmw8zhir6ch+4C2+5yFCtVSmC+3Y7+NQ4YE4AR/z5rGvA1lxclulU1DSGkhFTbJ
+XEVyg8o23A==
+=Bs3d
+-----END PGP MESSAGE-----

templateparser/autotests/data/404698-gpg-attachments.mbox.html.reply

@@ -0,0 +1 @@
+Please reply to this message<br>.<br>.<br>.<br><br>

templateparser/autotests/data/404698-gpg-attachments.mbox.plain.reply

@@ -0,0 +1,5 @@
+Please reply to this message
+.
+.
+.
+