defaults to plain text when Exchange AutoDiscover has misconfigured Autodiscover configuration file
Categories
(Thunderbird :: Security, defect)
Tracking
(thunderbird_esr115 wontfix, thunderbird128 fixed)
People
(Reporter: beardwen, Assigned: mkmelin)
References
Details
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
corey
:
approval-comm-beta+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Steps to reproduce:
A misconfigured Autodiscover configuration file (i.e., autodiscover.xml) where the administrator has not set the values of elements in the file according to the values defined in the specification published by Microsoft, for example, setting the value of the SSL element to "yes".
Actual results:
Thunderbird defaults to plain connection type.
Expected results:
Take a more conservative implementation that determines the connection type based on the port number.
Updated•8 months ago
|
Assignee | ||
Comment 1•8 months ago
|
||
It's possible the logic should be reversed to default to secure
https://searchfox.org/comm-central/rev/9154a515faba4ae8533e85edd2b9938bc0f361d2/mail/components/accountcreation/modules/ExchangeAutoDiscover.sys.mjs#460
Updated•7 months ago
|
Assignee | ||
Comment 2•7 months ago
|
||
Updated•7 months ago
|
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Pushed by brendan@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/2305fee76be6
default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier
Assignee | ||
Comment 4•7 months ago
|
||
Comment on attachment 9409187 [details]
Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat
[Approval Request Comment]
User impact if declined: may use to insecure when a secure connection would have been possible
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): fairly safe
Comment 5•7 months ago
|
||
Comment on attachment 9409187 [details]
Bug 1900178 - default to secure connection for cases of misconfigured exchange autodiscover responses. r=babolivier,leftmostcat
[Triage Comment]
Approved for beta
Comment 6•7 months ago
|
||
bugherder uplift |
Thunderbird 128.0b6:
https://hg.mozilla.org/releases/comm-beta/rev/091c115e064b
Description
•