Thunderbird not responding after viewing spam mail with thousands of links
Categories
(Thunderbird :: Security, defect, P2)
Tracking
(Not tracked)
People
(Reporter: kai.lepper, Unassigned)
References
(Depends on 1 open bug)
Details
(4 keywords)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 OPR/70.0.3728.119
Steps to reproduce:
Hello,
I use version 68.11.0(32bit) Windows. As soon as I open and view the attached Email Thunderbird is not responding. I did some testing myself and found out that to crash it is required to view the mail in pure Text. viewing the mail in html is not crashing. I did append the html part of the mail and stripped the header for privacy reason let me know if this is enough to reproduce.
Actual results:
app not responding
Expected results:
app responding
|
||
Comment 2•4 years ago
|
||
I can confirm loading attachment 9171971 [details] with plain text mode will hang Thunderbird (tested on 82/trunk).
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 3•4 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #2)
I can confirm loading attachment 9171971 [details] with plain text mode will hang Thunderbird (tested on 82/trunk).
Note, the message has 15k http links and 22k https - it's inevitable that it would hang. Pretty sure that would mean it's a duplicate.
|
|
||
Updated•7 months ago
|
|
||
Comment 5•7 months ago
|
||
Well, this is a denial-of-service vector.
I think this is more than just a speed issue.
I think it would be good to discuss potential mitigations.
Could we perform an analysis, and based on certain statistical aspects of an email, conclude that it likely cannot be rendered well, and consider to use an alternative display?
Could we say "this email is too big to display properly", and rather offer the user to download the email contents in some other form, e.g. as a text file?
Description
•