Closed Bug 1900178 Opened 4 months ago Closed 3 months ago

defaults to plain text when Exchange AutoDiscover has misconfigured Autodiscover configuration file

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 115
Type:
defect

Tracking

(thunderbird_esr115 wontfix, thunderbird128 fixed)

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- wontfix
thunderbird128 --- fixed

People

(Reporter: beardwen, Assigned: mkmelin)

References

Details

Attachments

(1 file)

Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat
48 bytes, text/x-phabricator-request
corey
: approval-comm-beta+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

Steps to reproduce:

A misconfigured Autodiscover configuration file (i.e., autodiscover.xml) where the administrator has not set the values of elements in the file according to the values defined in the specification published by Microsoft, for example, setting the value of the SSL element to "yes".

Actual results:

Thunderbird defaults to plain connection type.

Expected results:

Take a more conservative implementation that determines the connection type based on the port number.

Group: mail-core-security

It's possible the logic should be reversed to default to secure
https://searchfox.org/comm-central/rev/9154a515faba4ae8533e85edd2b9938bc0f361d2/mail/components/accountcreation/modules/ExchangeAutoDiscover.sys.mjs#460

Summary: Plain default when Exchange AutoDiscover fails → defaults to plain text when Exchange AutoDiscover has misconfigured Autodiscover configuration file
Version: unspecified → Thunderbird 115
See Also: → 1904274
Assignee: nobody → mkmelin+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9409187 - Attachment description: Bug 1900178 - default to secure connection for cases of misconfigured exchange autodicover responses. r=babolivier,leftmostcat → Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat
status-thunderbird128: --- → affected
status-thunderbird_esr115: --- → wontfix
Keywords: checkin-needed-tb
Target Milestone: --- → 129 Branch

Pushed by brendan@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/2305fee76be6
default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9409187 [details]
Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat

[Approval Request Comment]
User impact if declined: may use to insecure when a secure connection would have been possible
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): fairly safe

Attachment #9409187 - Flags: approval-comm-beta?

Comment on attachment 9409187 [details]
Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat

[Triage Comment]
Approved for beta

Attachment #9409187 - Flags: approval-comm-beta? → approval-comm-beta+
Duplicate of this bug: 1904274
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: