Closed Bug 1696052 Opened 3 years ago Closed 3 years ago

File Attach Bug if Anchor Tag with data-URI is used in HTML Mail

Categories

(Thunderbird :: Message Compose Window, defect)

defect

Tracking

(thunderbird_esr78 fixed, thunderbird87 fixed)

RESOLVED FIXED
88 Branch
Tracking Status
thunderbird_esr78 --- fixed
thunderbird87 --- fixed

People

(Reporter: github, Assigned: rnons)

Details

Attachments

(4 files)

Attached file lh20210004.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36

Steps to reproduce:

  1. Create new mail
  2. Insert HTML anchor as follows: <a href=data:1>test</a>


  3. Submit mail and observe the following error:

Actual results:

If an HTML mail includes an anchor tag with href=data:1, Thunderbird apparently tries to attach a file to the mail to which it does not have access.

Expected results:

There should not be any file access if an anchor tag is received in this manner.

I believe it's only the message that's misleading... the send code always just use data it already got.
But, I can confirm sending fails also on trunk (with the new backend). There's an error in the console and the send button isn't getting re-enabled.

Ping, can you take a look? A bad uri in the message shouldn't prevent sending.

Assignee: nobody → remotenonsense
Group: mail-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Message Compose Window
Ever confirmed: true
Status: NEW → ASSIGNED
Target Milestone: --- → 88 Branch

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/0f69f1f035e6
Fix sending anchor tag with invalid data uri. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Rebased to beta, only conflict was all-thunderbird.js.

Attachment #9207357 - Flags: review+

Rebased to esr78, picked only changes to nsMsgSend.cpp and test.

Attachment #9207358 - Flags: review+

Comment on attachment 9207357 [details] [diff] [review]
1696052-beta.patch

[Approval Request Comment]
Regression caused by (bug #): bug 1211292
User impact if declined: Unable to send message containing anchor tag with invalid data uri
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9207357 - Flags: approval-comm-beta?

Comment on attachment 9207358 [details] [diff] [review]
1696052-esr78.patch

[Approval Request Comment]
Regression caused by (bug #): Implemented like this years ago.
User impact if declined: Unable to send message containing anchor tag with invalid data uri
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9207358 - Flags: approval-comm-esr78?

Comment on attachment 9207358 [details] [diff] [review]
1696052-esr78.patch

[Triage Comment]
Approved for beta

Attachment #9207358 - Flags: approval-comm-esr78? → approval-comm-esr78+

Comment on attachment 9207357 [details] [diff] [review]
1696052-beta.patch

[Triage Comment]
really approving for beta

Attachment #9207357 - Flags: approval-comm-beta? → approval-comm-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: