From 45dae1ff0cf00c0a2a0693ce8de41a1205a07b8f Mon Sep 17 00:00:00 2001
From: "B. Petersen" <r10s@b44t.com>
Date: Tue, 6 Oct 2020 15:19:58 +0200
Subject: [PATCH] protect against attackers dropping the protect-this-chat
 message by not showing unprotected messages directly; this is done by
 checking the Chat-Verified flag on each incoming message. moreover, make
 sure, the flag is signed+encrypted (it must be read from the protected
 headers).

---
 src/dc_receive_imf.rs | 5 +++++
 src/mimeparser.rs     | 1 +
 2 files changed, 6 insertions(+)

diff --git a/src/dc_receive_imf.rs b/src/dc_receive_imf.rs
index ceab5133a..3109d9bab 100644
--- a/src/dc_receive_imf.rs
+++ b/src/dc_receive_imf.rs
@@ -1679,6 +1679,11 @@ async fn check_verified_properties(
 
     ensure!(mimeparser.was_encrypted(), "This message is not encrypted.");
 
+    ensure!(
+        mimeparser.get(HeaderDef::ChatVerified).is_some(),
+        "Sender did not mark the message as protected."
+    );
+
     // ensure, the contact is verified
     // and the message is signed with a verified key of the sender.
     // this check is skipped for SELF as there is no proper SELF-peerstate
diff --git a/src/mimeparser.rs b/src/mimeparser.rs
index 42911a5bd..eddbf6f07 100644
--- a/src/mimeparser.rs
+++ b/src/mimeparser.rs
@@ -127,6 +127,7 @@ impl MimeMessage {
 
         // remove headers that are allowed _only_ in the encrypted part
         headers.remove("secure-join-fingerprint");
+        headers.remove("chat-verified");
 
         // Memory location for a possible decrypted message.
         let mail_raw;