Passwords (and other highly sensitive information) should be stored in memory in classes that overwrite the memory before freeing it, and possibly prevent the memory from being swapped out while in use (platform dependent). If there is no such thing yet, we should create a class for that. What happens if an img tag src points to IMAP URL, do we retrieve the contents and send them along in a reply/forwarded message? Are there other tags that could cause this? When replying/forwarding a message we can disclose private information, like mailserver and user names? Make sure they get stripped out. Some plugins (most notably Acrobat) take over the message area which can lead to message spoofing. There should be a bug open on this, what is it? IMAP headers could cause a DOS, because our implementation wants to load them all. If there was a header exploit that caused a crash, for example, you would never be able to read your mail after that. There are no such bugs known at this time, but could the implementation be changed so that we do not always require the full header list (like when you hit stop, try to see a message, we continue downloading headers)? Verify that each message is its own domain (regardless of protocol). Disable plugins in mailnews, or make it possible to disable them in mailnews. There was discussion about that, what happened? Is there a bug number?
>Disable plugins in mailnews, or make it possible to disable them in mailnews. >There was discussion about that, what happened? Is there a bug number? In 1.3a in Advanced -> Scripts and Plugins right at the bottom is an option: Enable plugins for mail and news.
bienvenu: is there anything useful left in this bug or can we resolve it and unhide it?
Whiteboard: [sg:investigation] → [sg:audit]
(In reply to Daniel Veditz [:dveditz] from comment #2) > bienvenu: is there anything useful left in this bug or can we resolve it and > unhide it? I don't think there's anything useful left in this bug. the passwords stored in memory that's cleared after delete is not specific to imap.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.