Incorrect Pharsing From-Address with a comma iso Encoded - replying will answer to TWO adresses - one wrong

RESOLVED DUPLICATE of bug 254519

Status

Thunderbird
General
RESOLVED DUPLICATE of bug 254519
10 years ago
10 years ago

People

(Reporter: Stefan Freisei Mühlbacher, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Version 2.0.0.14 (20080421)

Code from Source

--- snip ---
From: =?iso-8859-1?Q?M=F6ller=2C_Angelika?= <Moeller@XXXXXXXXXXX.de>
To: =?iso-8859-1?B?SuRrZWw=?= <jaekel@XXXXXXXXXX.de>
--- snap ---

is shown as you can see in Screenshot http://xp8.de/TB-BugIsoFrom.png.

I Think it´s a problem of the "=2C_" string in the iso-encoded from-string.


Reproducible: Always

Steps to Reproduce:
1. a "from" in an eMailclient that produces this: From: =?iso-8859-1?Q?M=F6ller=2C_Angelika?= <Moeller@XXXXXXXXXXX.de>
2. send the mail
3. recieve and open it in Thunderbird
4. you will see TWO "from"´s
5. reply
6. you will see that thunderbird replys to both adresses

Actual Results:  
see that thunderbird replys to both adresses
a) Möller
b) Angelika <Moeller@XXXXXXXXXX.de>


Expected Results:  
reply to
"Angelika, Möller" <Moeller@XXXXXXXXXX.de>

could be a security problem - if i write a mail with a spurios sender that results in replying the mail to originalsender AND to the attacker.
(Reporter)

Comment 1

10 years ago
Created attachment 322731 [details]
Screenshot of Message Header in TB 2.0.0.14
The mail spec, at least old rfc 822, allows multiple authors to be listed in From headers. I'll leave this for the mail guys to determine if we're treating this case correctly, but I don't see how it could be a security issue.
Group: core-security

Comment 3

10 years ago
This is bub 254519.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 254519
You need to log in before you can comment on or make changes to this bug.