From 346e5712304e66bb1b52387115b89d1966cf184b Mon Sep 17 00:00:00 2001
From: Stefan Kangas <stefankangas@gmail.com>
Date: Sun, 17 Dec 2023 09:45:05 +0100
Subject: [PATCH] Never send user email address in HTTP requests

It used to be possible to customize 'url-privacy-level' so that the
user's email address was sent along in HTTP requests.  Since
'url-privacy-level' is also a blocklist, rather than an allowlist,
this meant that a mere misconfiguration of Emacs risked exposing the
user's email address.  This is a serious privacy risk, and it is thus
better if we remove this dangerous feature altogether.

* lisp/url/url-http.el (url-http-create-request): Never send the
user email address.
* lisp/url/url-vars.el (url-personal-mail-address): Make obsolete.
* lisp/url/url-privacy.el (url-setup-privacy-info): Don't set
above obsolete variable.
* doc/misc/url.texi (Customization):
* lisp/url/url-vars.el (url-privacy-level): Update documentation
to reflect the above changes.
---
 doc/misc/url.texi       |  2 --
 etc/NEWS                |  8 ++++++++
 lisp/url/url-http.el    |  4 ----
 lisp/url/url-privacy.el | 10 ----------
 lisp/url/url-vars.el    |  9 +++++++--
 5 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/doc/misc/url.texi b/doc/misc/url.texi
index 6517f858324..3a447a20559 100644
--- a/doc/misc/url.texi
+++ b/doc/misc/url.texi
@@ -1231,8 +1231,6 @@ the @file{*URL-DEBUG*} buffer.
 A number means log all messages and show them with @code{message}.
 It may also be a list of the types of messages to be logged.
 @end defopt
-@defopt url-personal-mail-address
-@end defopt
 @defopt url-privacy-level
 @end defopt
 @defopt url-lastloc-privacy-level
diff --git a/etc/NEWS b/etc/NEWS
index 491ade0c069..918c12b91d2 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1093,6 +1093,14 @@ Highlighting Tests" node in the ERT manual.
 
 ** URL
 
++++
+*** URL now never sends user email addresses in HTTP requests.
+Emacs never sent email addresses by default, but it used to be
+possible to customize 'url-privacy-level' so that the users email
+address was sent along in HTTP requests.  This feature has now been
+removed, as it was considered more risky than useful.  The user option
+'url-personal-mail-address' is now also obsolete.
+
 +++
 *** 'url-gateway-broken-resolution' is now obsolete.
 This option was intended for use on SunOS 4.x and Ultrix systems,
diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index ada6341ee73..947c6517ed1 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -358,10 +358,6 @@ Use `url-http-referer' as the Referer-header (subject to `url-privacy-level')."
                   (url-port url-http-target-url))
                (format "Host: %s\r\n"
                        (url-http--encode-string (puny-encode-domain host))))
-             ;; Who its from
-             (if url-personal-mail-address
-                 (concat
-                  "From: " url-personal-mail-address "\r\n"))
              ;; Encodings we understand
              (if (or url-mime-encoding-string
 		     ;; MS-Windows loads zlib dynamically, so recheck
diff --git a/lisp/url/url-privacy.el b/lisp/url/url-privacy.el
index 2be77b33035..be4b063d18f 100644
--- a/lisp/url/url-privacy.el
+++ b/lisp/url/url-privacy.el
@@ -59,16 +59,6 @@
 	    ('tty "TTY")
 	    (_ nil)))))
 
-  (setq url-personal-mail-address (or url-personal-mail-address
-				      user-mail-address
-				      (format "%s@%s"  (user-real-login-name)
-					      (system-name))))
-
-  (if (or (memq url-privacy-level '(paranoid high))
-	  (and (listp url-privacy-level)
-	       (memq 'email url-privacy-level)))
-      (setq url-personal-mail-address nil))
-
   (setq url-os-type
 	(cond
 	 ((or (eq url-privacy-level 'paranoid)
diff --git a/lisp/url/url-vars.el b/lisp/url/url-vars.el
index 630de7f4e43..6d7d0d3c94c 100644
--- a/lisp/url/url-vars.el
+++ b/lisp/url/url-vars.el
@@ -90,6 +90,7 @@ This is what is sent to HTTP servers as the FROM field in an HTTP
 request."
   :type '(choice (const :tag "Unspecified" nil) string)
   :group 'url)
+(make-obsolete-variable 'url-personal-mail-address nil "30.1")
 
 (defcustom url-directory-index-file "index.html"
   "The filename to look for when indexing a directory.
@@ -113,18 +114,22 @@ paranoid -- don't send anything
 
 If a list, this should be a list of symbols of what NOT to send.
 Valid symbols are:
-email    -- the email address
+email    -- the email address (in Emacs 29 or older)
 os       -- the operating system info
 emacs    -- the version of Emacs
 lastloc  -- the last location (see also `url-lastloc-privacy-level')
 agent    -- do not send the User-Agent string
 cookies  -- never accept HTTP cookies
 
+Emacs 30 and newer never includes the email address in the
+User-Agent string.  If you expect to use older versions of Emacs,
+it is recommended to always customize this list to include `email'.
+
 Samples:
 
  (setq url-privacy-level \\='high)
  (setq url-privacy-level \\='(email lastloc))    ;; equivalent to \\='high
- (setq url-privacy-level \\='(os))
+ (setq url-privacy-level \\='(email lastloc os emacs))
 
 ::NOTE::
 This variable controls several other variables and is _NOT_ automatically
-- 
2.39.2