Closed Bug 1491755 Opened 6 years ago Closed 6 years ago

smtp AUTH PLAIN incomplete utf8 Password

Categories

(MailNews Core :: Networking: SMTP, defect)

Product:
MailNews Core
Component:
Networking: SMTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird_esr6062+ fixed, thunderbird63 fixed, thunderbird64 fixed)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 64.0
Tracking Flags:
Tracking Status
thunderbird_esr60 62+ fixed
thunderbird63 --- fixed
thunderbird64 --- fixed

People

(Reporter: yseckin, Assigned: infofrommozilla)

Details

Attachments

(3 files, 1 obsolete file)

TB60smtp_auth_plain_bug.png
547.42 KB, image/png
Details
TB60smtp_auth_plain_bug.pcapng
3.51 KB, application/x-pcapng
Details
Fix 'truncated password' when using AUTH PLAIN (SMTP)
1.16 KB, patch
jorgk-bmo
: review+
jorgk-bmo
: approval-comm-beta+
jorgk-bmo
: approval-comm-esr60+
Details | Diff | Splinter Review
Attached file TB60smtp_auth_plain_bug.tar (obsolete) — 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180912143528

Steps to reproduce:

tried to authenticte with the password "1ä2a%00" the last "0" of the password will not transmit.
TLS/STARTTLS not active. The Fallback to AUTH LOGIN works. See the Wireshark sniff.


Actual results:

AUTH PLAIN will not work.


Expected results:

positive authentication

    
    

    
  


  

        Attachment #9009538 -
        Attachment is obsolete: true

    
  
Component: Untriaged → Security

    
    

    
  
Perhaps related: bug 1474314.
Component: Security → Networking: SMTP
Product: Thunderbird → MailNews Core

    
    

    
  


  
When calculating the string length, the wrong string is used.

        Attachment #9011285 -
        Flags: review?(jorgk)

    
    

    
  
Comment on attachment 9011285 [details] [diff] [review]
Fix 'truncated password' when using AUTH PLAIN (SMTP)

Thank you, Alfred!

I am very frustrated by this. Support for unicode passwords was in introduced in bug 312593 which landed exactly to the day *one* year ago. That code was reviewed by three people and no one saw the mistake:
https://hg.mozilla.org/comm-central/rev/23725f858c42#l17.61

The new unicode capability, which in fact never worked as we see here (and in bug 1493542), was advertised in the TB 57 release notes (https://www.thunderbird.net/en-US/thunderbird/57.0beta/releasenotes/). I couldn't test it since none of my mail providers accept non-ASCII passwords, so I hoped one of the complainers in bug 312593 would have tried it :-(

Then the code was touched again recently, and again, the mistake went unnoticed:
https://hg.mozilla.org/comm-central/rev/1519c2b5f8c4#l1.86
https://hg.mozilla.org/comm-central/rev/092c52d61cba#l1.17

        Attachment #9011285 -
        Flags: review?(jorgk) → review+
Assignee: nobody → infofrommozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

    
    

    
  
Comment on attachment 9011285 [details] [diff] [review]
Fix 'truncated password' when using AUTH PLAIN (SMTP)

Since we advertise working UTF-8 passwords in TB 60, they'd better be working.

        Attachment #9011285 -
        Flags: approval-comm-esr60+

        Attachment #9011285 -
        Flags: approval-comm-beta+

    
    

    
  
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/afd14a54871a
Fix 'truncated password' when using AUTH PLAIN (SMTP). r=jorgk
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 64.0

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: