273037 - RFC 822 'specials' not being properly quoted as per spec

Status: NEW

(MailNews Core :: MIME, defect)

Description

[stimits]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

Mozilla allows a "display name" in memorized addresses. For one such address I
added "Jakarta: Tomcat Users". This results in sending this in the header:
To: Jakarta: Tomcat Users <tomcat-user@jakarta.apache.org>

This ended up with a javamail user telling me it crashes his software, I asked
him to check with javamail authors, who said the colon ":" is not valid in this
field, and that they would not fix this as it was a mozilla header compliance
issue. The "To" field requires screening out of non-RFC-allowed characters to
avoid crashing javamail.

Reproducible: Always
Steps to Reproduce:
1. Create an address with a display name containing a colon.
2. Send to a javamail user.

Actual Results:  
1. Crash of javamail.
2. Complaint by javamail authors.

Expected Results:  
Any "to" field should be RFC-compliant. Perhaps this is a simple URL encoding
scheme to fix, I really don't know the RFC, I'm taking the word of the javamail
authors.

I mark this as critical because it results in a denial of service for javamail
users. The crash/hang is for javamail, not for Mozilla. Although I marked this
as Linux (because I'm using Fedora Core 2), it is likely the same thing in all
platforms.

Comment 1

[stimits]

*** Bug 273036 has been marked as a duplicate of this bug. ***

Comment 2

[Grey Hodge (jX)]

I assume he's speaking about RFC 822, which states merely that : is a special,
and "must" be quoted if not being used as a delimiter. We may be not adhering to
this spec.

Regardless of it's RFC status, this is still a crasher bug for this javamail
app. I receive mails daily where the colon is not quoted, and Mozilla doesn't
crash. Nor did Eudora, Outlook or Outlook Express, Pine, nor any other mail
client I've used. It should be able to gracefully handle errors, and somethign
as simple as a colon in the TO: field line should not crash it. In fact, no
character there should crash the app. In fact, the app should never crash due to
malformed mails. That's just bad form. Blaming the user is even worse. "You
crashed this app. Don't do that again, dummy." is not the way to fix a bug.

I'm changing the subject of this bug from:
"Non-RFC-compliant "To" field crashes javamail from display name characters" to
"RFC 822 'specials' not being properly quoted as per spec"

Good luck to the javamail guys in fixing their crasher.

Comment 3

[Grey Hodge (jX)]

We're not quoting as per spec when : is used as part of a word (this is an
example: where it shoudl eb quoted like "example:"). Still shouldn't crash
anything though...

Comment 4

[neil@parkwaycc.co.uk]

According to nsMsgHeaderParser.cpp we're not quoting :s so as not to break some
systems which aren't expecting them to be quoted...

Comment 5

[Grey Hodge (jX)]

Yeah, I can't exactly say I've heard of too many clients that do this. I
actually don't know if any do it, and can't say I've ever noticed it before. I
think clients these days are generally smart enough to know what's a header and
what isn't (usually). So, Wontfix?

Comment 6

[stimits]

I agree it is dumb to not have the client gracefully handle this. Yet if it is
part of a standard, it makes sense. Otherwise standards become pointless; not
all reasons for a given standard are always obvious up front, even when we know
most of the reasons.