error parsing message header (like subject) with empty continuation line after it

RESOLVED DUPLICATE of bug 707078

Status

MailNews Core
Backend
--
critical
RESOLVED DUPLICATE of bug 707078
6 years ago
4 years ago

People

(Reporter: geebee1970, Assigned: Bienvenu)

Tracking

({crash, testcase})

x86
Windows Vista
crash, testcase

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

141.97 KB, text/plain
Details
(Reporter)

Description

6 years ago
Created attachment 573321 [details]
mail2

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

Receiveing mails from several Accounts.


Actual results:

There are many Mailadresses in the subject line of the mail. They are only in the list of mails to see. These Mailadresses are unknown by the sender so I am wondering why they are there???


Expected results:

Nothing
(Assignee)

Comment 1

6 years ago
it's a malformed mime2-encoded subject line, I believe. We shouldn't run off the end of the buffer. Interestingly, this only happens in the thread pane, not the message pane, not sure why.
(Assignee)

Comment 2

6 years ago
what does this have to do with sql injection?
David: when you say "run off the end" you mean there was a crash? Were we reading the buffer or writing?
(Assignee)

Comment 4

6 years ago
(In reply to Daniel Veditz from comment #3)
> David: when you say "run off the end" you mean there was a crash? Were we
> reading the buffer or writing?

No crash, but I see "iiiiiiiiiiii" at the end of the subject string in the thread pane, which is not there in the original source, which makes me think the mime 2 decoding code is reading past the end of the buffer (or not null terminating its result, I suppose). I haven't debugged it yet.
(Assignee)

Comment 5

6 years ago
OK, I think the issue is that there's a continuation line after the subject header with just a tab on it, followed by an empty line, and while parsing the message subject, we seem to add a bit of garbage to the subject. This is in our parsing, before we mime decode the header. I'll look into it.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Updated

6 years ago
Assignee: nobody → dbienvenu
(Assignee)

Updated

6 years ago
Summary: sql injection in Subject → error parsing message subject with empty continuation line after it
Could this happen with headers other than the subject line?
Group: core-security
(Assignee)

Comment 7

6 years ago
Yes, pretty much any header would cause this, as long as it was the last header in the message, followed by a continuation line.

Comment 8

6 years ago
If this causes bug 707078 then this is topcrash
Assignee: dbienvenu → nobody
Severity: normal → critical
Component: General → Backend
Keywords: crash, topcrash
Product: Thunderbird → MailNews Core
QA Contact: general → backend
Summary: error parsing message subject with empty continuation line after it → error parsing message header (like subject) with empty continuation line after it

Comment 9

6 years ago
bug 707078 still marginally a topcrash, if you sum the various crash sigs
Assignee: nobody → dbienvenu

Comment 10

6 years ago
Makoto Kato, can you take a look at this?
Keywords: testcase

Comment 11

6 years ago
geebee1970, do you have crash report IDs to go with this issue?
see https://support.mozillamessaging.com/en-US/kb/mozilla-crash-reporter#w_viewing-crash-reports
Keywords: topcrash
This crash has been fixed by https://hg.mozilla.org/comm-central/rev/1c833d465ab7

The crasher message in comment #0 has been also checked in https://hg.mozilla.org/comm-central/rev/cc9bb408f84e
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 707078

Updated

4 years ago
Duplicate of this bug: 706813
You need to log in before you can comment on or make changes to this bug.