Closed
Bug 701194
Opened 13 years ago
Closed 12 years ago
error parsing message header (like subject) with empty continuation line after it
Categories
(MailNews Core :: Backend, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 707078
People
(Reporter: geebee1970, Assigned: Bienvenu)
References
Details
(Keywords: crash, testcase)
Attachments
(1 file)
141.97 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20111104165243 Steps to reproduce: Receiveing mails from several Accounts. Actual results: There are many Mailadresses in the subject line of the mail. They are only in the list of mails to see. These Mailadresses are unknown by the sender so I am wondering why they are there??? Expected results: Nothing
Assignee | ||
Comment 1•13 years ago
|
||
it's a malformed mime2-encoded subject line, I believe. We shouldn't run off the end of the buffer. Interestingly, this only happens in the thread pane, not the message pane, not sure why.
Assignee | ||
Comment 2•13 years ago
|
||
what does this have to do with sql injection?
Comment 3•13 years ago
|
||
David: when you say "run off the end" you mean there was a crash? Were we reading the buffer or writing?
Assignee | ||
Comment 4•13 years ago
|
||
(In reply to Daniel Veditz from comment #3) > David: when you say "run off the end" you mean there was a crash? Were we > reading the buffer or writing? No crash, but I see "iiiiiiiiiiii" at the end of the subject string in the thread pane, which is not there in the original source, which makes me think the mime 2 decoding code is reading past the end of the buffer (or not null terminating its result, I suppose). I haven't debugged it yet.
Assignee | ||
Comment 5•13 years ago
|
||
OK, I think the issue is that there's a continuation line after the subject header with just a tab on it, followed by an empty line, and while parsing the message subject, we seem to add a bit of garbage to the subject. This is in our parsing, before we mime decode the header. I'll look into it.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → dbienvenu
Assignee | ||
Updated•13 years ago
|
Summary: sql injection in Subject → error parsing message subject with empty continuation line after it
Comment 6•13 years ago
|
||
Could this happen with headers other than the subject line?
Group: core-security
Assignee | ||
Comment 7•13 years ago
|
||
Yes, pretty much any header would cause this, as long as it was the last header in the message, followed by a continuation line.
Comment 8•12 years ago
|
||
If this causes bug 707078 then this is topcrash
Assignee: dbienvenu → nobody
Severity: normal → critical
Component: General → Backend
Product: Thunderbird → MailNews Core
QA Contact: general → backend
Summary: error parsing message subject with empty continuation line after it → error parsing message header (like subject) with empty continuation line after it
Comment 9•12 years ago
|
||
bug 707078 still marginally a topcrash, if you sum the various crash sigs
Assignee: nobody → dbienvenu
Comment 11•12 years ago
|
||
geebee1970, do you have crash report IDs to go with this issue? see https://support.mozillamessaging.com/en-US/kb/mozilla-crash-reporter#w_viewing-crash-reports
Keywords: topcrash
Comment 12•12 years ago
|
||
This crash has been fixed by https://hg.mozilla.org/comm-central/rev/1c833d465ab7 The crasher message in comment #0 has been also checked in https://hg.mozilla.org/comm-central/rev/cc9bb408f84e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•