Closed Bug 196749 Opened 22 years ago Closed 21 years ago

Incoming mail contains "X-Mozilla-Status" and cause Mozilla to handle it as read, flagged, prioritised

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: mbockelkamp, Assigned: Bienvenu)

References

Details

(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: fixed-aviary1.0)

Attachments

(2 files, 1 obsolete file)

Fix strncasecmp in previous patch
8.30 KB, patch
Details | Diff | Splinter Review
proposed fix
1.28 KB, patch
mscott
: superreview+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4a) Gecko/20030307 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4a) Gecko/20030307 If I send myself an email (using the Indy-Library) containing the extra-headers "x-mozilla-status" and "x-mozilla-status2" the values set by me are used for displaying the new mail. In addition Mozilla generates new "x-mozilla-status" and "x-mozilla-status2" entries which contain the value "0". This leads to the following questions: 1. Is it intentional to use those values, if they come in with the mail? 2. Why does Mozilla generate additional entries, which could cause confusion if the order of processing header fields is changed in future? 3. Could this be a way for spammers to bypass the junk mail controls? Then the priority should be increased! Reproducible: Always Steps to Reproduce: 1. Send yourself a mail with x-mozilla-status and x-mozilla-status2 header fields 2. Get the mail 3. View the message source Actual Results: Looks like this: X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 .. X-Mozilla-Status: 0003 X-Mozilla-Status2: 06000000 Expected Results: There should be no double entries.
Over the last two days I've started to see spam coming in with the X-mozilla* fields set, to avoid the spamfilters. Most have been marked Read and Not Spam. Spam filters don't get these messages, unless I "Run Junk Mail Controls On Folders" Perhaps a spammer has read this bug. In any case, I'd think that this should be bumped up on the priority list. I'm using Thunderbird 0.6 on Windows.
Confirming, reassigning to mscott's new address, changing Hardware and OS to All, changing Severity to Major, setting "blocking1.7?".
Assignee: mscott → mscott
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.7?
OS: Windows XP → All
Hardware: PC → All
way too late for the 1.7 train.
Severity: major → normal
Flags: blocking1.7? → blocking1.7-
Target Milestone: --- → mozilla1.8beta
(In reply to comment #3) > way too late for the 1.7 train. Won't be nice for the 1.7 users. Perhaps make this a Security Bug to at least prevent Spammers from reading it?
Severity: normal → major
Flags: blocking1.7- → blocking1.7?
Target Milestone: mozilla1.8beta → ---
Flags: blocking1.7? → blocking1.7-
Oh, sorry for changing your flags, but I'm sure I didn't touch them.
Severity: major → normal
Target Milestone: --- → mozilla1.8beta
No point in security on the bug. The information is on a public news server and appears to be already in use in the wild.
Attached patch Proposed fix (obsolete) — — Splinter Review
This patch silently removes any "X-Mozilla*" headers from incoming POP3 email. It also cleans up some other places that were using the bare literals instead of the X_MOZILLA macros, and fixes a crash I ran into while sending myself various test messages with X-Mozilla headers set.
Same as before, but uses PL_strncasecmp instead of strncasecmp
Attachment #151248 - Attachment is obsolete: true
Attachment #151256 - Flags: review?
(In reply to comment #8) > Created an attachment (id=151256) > Fix strncasecmp in previous patch > > Same as before, but uses PL_strncasecmp instead of strncasecmp But this would probably have done the trick all by itself: Index: nsParseMailbox.cpp =================================================================== RCS file: /cvsroot/mozilla/mailnews/local/src/nsParseMailbox.cpp,v retrieving revision 1.235 diff -u -r1.235 nsParseMailbox.cpp --- nsParseMailbox.cpp 18 Jun 2004 18:37:36 -0000 1.235 +++ nsParseMailbox.cpp 20 Jun 2004 01:27:35 -0000 @@ -940,7 +940,12 @@ value = buf; if (header) + { + // Ignore repeated headers. + if (header->value) + return 0; header->value = value; + } SEARCH_NEWLINE: while (*buf != 0 && *buf != nsCRT::CR && *buf != nsCRT::LF)
Those headers are also added to IMAP mail right? Any solution needs to address all sources of email, not just POP. I don't think that there is any point to cleaning duplicate headers up, just go with your solution in comment 9 and ignore headers that have already been parsed. It's cleaner and simpler with less change required.
(In reply to comment #10) > Those headers are also added to IMAP mail right? Any solution needs to address > all sources of email, not just POP. I don't think that there is any point to > cleaning duplicate headers up, just go with your solution in comment 9 and > ignore headers that have already been parsed. It's cleaner and simpler with > less change required. Yes, you're right. The solution in comment #9 solves the problem for both POP and IMAP, and it's the simplest. From a "correctness/maintainability" standpoint I think some of my other changes should be made anyway, but that should be a separate issue so I'll drop it from the current discussion.
The code from comment #9 only prevents parsing all (thus using the last) occurences of a header line. But Mozilla still adds a header, e.g. X-Mozilla-Status, a second time instead of overwriting the one that came in - that's at least confusing. I'm very much in favour of removing all internal used header lines upon receive.
(In reply to comment #12) > The code from comment #9 only prevents parsing all (thus using the last) > occurences of a header line. > But Mozilla still adds a header, e.g. X-Mozilla-Status, a second time instead of > overwriting the one that came in - that's at least confusing. Actually the code in Comment #9 makes it so that only the *first* occurrence is parsed, and the first occurrence is always the header that Mozilla added, because Mozilla writes the X-Mozilla-Status immediately after creating the "From" envelope header. So this patch by itself is enough to prevent spammer tricks from working. > I'm very much in favour of removing all internal used header lines upon receive. I agree, it's confusing to have the bogus headers remain. I've spent the past couple weeks reading thru all the POP3 code but I'm not familiar enough with the IMAP code to figure out how to do the equivalent fix. I.e., you have to squash any illegal headers in the incoming protocol stream, without disturbing headers that Mozilla itself generates.
Adding bienvenu for IMAP concerns. I see now that the actual change for removing the duplicate lines is quite simple. I agree that it is the best solution. It was all of the other changes in the patch which threw me. Why have you added the length and changed from signed to unsigned? Was there a problem that you are fixing? If not then these changes aren't really needed. This code isn't going to be a performance problem - the network delays with the pop protocol will far outweigh any savings in getting rid of a single strlen. > nsCAutoString uidlCString("X-UIDL: "); X_UIDL? > char *statusLine = PR_smprintf(X_MOZILLA_STATUS_FORMAT MSG_LINEBREAK, flags); If you are going to clean up this code a bit, why don't you remove the malloc at this line and use PR_snprintf into a stack var instead. > // Check for illegal headers in incoming mail Since you are using the defines for all of the other X_MOZILLA stuff, why don't you create new defines for X_MOZILLA_PREFIX and X_MOZILLA_PREFIX_LEN and use them. Ditto for FCC. Could we ever get a dummy "From - " envelope header line in the email? Do you need to check for that?
I don't think you can eliminate all duplicate headers since I think it's legal to duplicate some headers, in particular, to: and cc:. Personally, I believe the simplest, safest, fix is to just ignore the x-mozilla-status duplicate headers when parsing the mail headers. I don't think we need to strip them out. If we just ignore them when parsing, we fix the problem for pop3, imap, and for reparsing mail folders. I'll attach a simple patch showing what I mean...
Attached patch proposed fix — — Splinter Review
untested, but this is what I have in mind. Technically, we're never supposed to remove stuff from a message - but it's perfectly alright to ignore stuff. I don't see any reason to strip out X-UIDL headers, since we only ever pay attention to the first one, which will be the one we put in...
Assignee: mscott → bienvenu
Status: NEW → ASSIGNED
*** Bug 246638 has been marked as a duplicate of this bug. ***
Attachment #151292 - Flags: superreview?(mscott)
Perhaps related, another duplicate-header (Subject:) issue is bug 166068.
(In reply to comment #18) > Perhaps related, another duplicate-header (Subject:) issue is bug 166068. Hm, wrong bug number?
Oops, yes, copied from the wrong page. I meant bug 172104.
Attachment #151292 - Flags: superreview?(mscott) → superreview+
(In reply to comment #16) > Created an attachment (id=151292) > proposed fix > > untested, but this is what I have in mind. Am I blind, or is there really No code that sets m_IgnoreXMozillaStatus? (I did a find in the mailnews source tree, only found tests, not sets.) > Technically, we're never supposed to remove stuff from a message - but it's > perfectly alright to ignore stuff. Right. And the existing code was effectively "ignoring" things anyway, it's just that it was ignoring the first instances of a header, not the last.
(In reply to comment #14) > Why have you added the length and changed from signed to unsigned? Was there a > problem that you are fixing? If not then these changes aren't really needed. > This code isn't going to be a performance problem - the network delays with the > pop protocol will far outweigh any savings in getting rid of a single strlen. This is an interesting question, but not for this particular bug. If there's a better forum to discuss this, let's take it there. But to answer the point: whether there are significant network delays or not is no excuse to waste CPU time; we're not running in a single-tasking environment. There are other things out there that may have a use for the CPU time even if this particular program doesn't. When's the last time anybody profiled this codebase? (It's not like there aren't already enough things to worry about, of course...) In general though, why write code that executes in linear time (strlen) when you can do it in constant time (sizeof)? Why recalculate information that was already available, but got thrown away? Speaking from personal experience, profiling and paying attention to details like this has allowed us to speed up OpenLDAP by over a factor of 200 (yes, that's right, 200) from the 1999 code base to present day. Every algorithmic choice you make matters.
m_IgnoreXMozillaStatus is currently unused - in 4.x, it was used in a couple situations, parsing outgoing messages, and parsing imap headers. We should be setting it when parsing imap headers, and we might someday need to parse outgoing messages. Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Comment on attachment 151292 [details] [diff] [review] proposed fix nice to have for 1.7.1
Attachment #151292 - Flags: approval1.7.1?
Comment on attachment 151292 [details] [diff] [review] proposed fix a=mkaply for 1.7.1.
Attachment #151292 - Flags: approval1.7.1? → approval1.7.1+
*** Bug 249501 has been marked as a duplicate of this bug. ***
Isn't it possible to move those mozilla flags into the .msf file? It looks like mozilla/thunderbird stores that information in the .msf file for imap mail. But if mozilla flags are stored together with the mail, there should be 2 separate parts: control information and the original mail itself. Hence the mail box file looks like: From - .... X-Mozilla-Status: ... X-Mozilla-Status2: ... X-Mozilla-Border: --------------------------- Received: ... Date: ... From: ... If mozilla/thunderbird checks for flags, this should not be done below the border, i.e. in the original mail.
(In reply to comment #27) > Isn't it possible to move those mozilla flags into the .msf file? It looks like > mozilla/thunderbird stores that information in the .msf file for imap mail. > One problem with this is that .msf files are rebuilt from scratch rather too readily, for example on a time zone change (a real problem for me when I change time zones, see bug 136049 and especially my comment 45 to it). If these flags are stored only in the .msf files, the information is completely lost when the .msf file are rebuilt.
Bug 257532 claims this bug is still present in TB 0.7.2/0.7.3.
I believe this is fixed in nightly aviary builds, and nightly trunk builds, but I don't know that it's fixed in .7.2 or .7.3...
*** Bug 258120 has been marked as a duplicate of this bug. ***
*** Bug 257532 has been marked as a duplicate of this bug. ***
Someone can checkin this patch into 1.7 branch? http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/mailnews/local/src/nsParseMailbox.cpp&rev=MOZILLA_1_7_BRANCH&root=/cvsroot shows it hasn't been checked in yet.
*** Bug 258735 has been marked as a duplicate of this bug. ***
*** Bug 259539 has been marked as a duplicate of this bug. ***
fixed on 1.7 branch
Keywords: fixed1.7.3
Keywords: fixed-aviary1.0
was fixed after the release of 1.7.3
Keywords: fixed1.7.3fixed1.7.x
*** Bug 260589 has been marked as a duplicate of this bug. ***
Since I started using a Fedora 2 build of 1.7.2, I have intermittently seen X-Mozilla-Status and X-Mozilla-Status2 headers in the text of my message. E.g. <q> Another possible solution would be to create a static final boolean called DEBUG somewhere in your code and then wrap all of your debug code in "if (DEBUG)" blocks. Obfuscation will remove these if-blocks from the final bits whenever DEBUG=false. While this solution does not X-Mozilla-Status: 8000 X-Mozilla-Status2: 00000000 make use of IDE functionality, it may be sufficient for what you're doing. </q> This occures quite frequently. Is it related to this bug, or should I report another?
Mike Cowperthwaite pointed me to bug #248121, which is related to movemail. That's the one I want.
*** Bug 263283 has been marked as a duplicate of this bug. ***
*** Bug 263445 has been marked as a duplicate of this bug. ***
(In reply to comment #43) > *** Bug 263445 has been marked as a duplicate of this bug. *** Suggestion for a better description of this bug and reducing number of duplicates: Incoming mail that is sent with extra headers "x-mozilla-status" and "x-mozilla-status" cause Mozilla to indicate 'new mail' as 'read mail'.
Summary: Problem with x-mozilla-status → Incoming mail contains "X-Mozilla-Status" and cause Mozilla to handle it as read
Some more information for the summary.
Summary: Incoming mail contains "X-Mozilla-Status" and cause Mozilla to handle it as read → Incoming mail contains "X-Mozilla-Status" and cause Mozilla to handle it as read, flagged, prioritised
*** Bug 263913 has been marked as a duplicate of this bug. ***
*** Bug 245230 has been marked as a duplicate of this bug. ***
*** Bug 200117 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
*** Bug 259698 has been marked as a duplicate of this bug. ***
Attachment #151256 - Flags: review?
*** Bug 269678 has been marked as a duplicate of this bug. ***
*** Bug 256112 has been marked as a duplicate of this bug. ***
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: