I found a discussion from March 2009 which suggests this issue was known back then [1]. Maybe the same feature was re-introduced later in some other part of the code? The link to source repo in the post is dead, but the file it references (nsSmtpUrl.cpp) still contains this comment on line 88 in current version:

/* DO NOT support attachment= in mailto urls. This poses a security fire hole!!!

[1] http://forums.mozillazine.org/viewtopic.php?f=30&t=1172555

That interesting as the OP is using `attachment` as the param when it is/was actually `attach`.

A comment in source code. Not the discerning professional's preferred tool for guaranteeing security-critical behaviors to prevent "fire holes".

What should they do? Static analysis would be nice, but it's probably too complex to adopt in that kind of codebase.

In the end, the only viable option is to forbid this behaviour, and document a rationale so nobody will enable it back again.

Perhaps they could make this warning bigger, but other than that...

They could have added a regression test, no? Give it an example with ?attach= and verify that no attachment is added.

Looking at the linked src code, there’s lots of mixed tabs/spaces for indent. shudders