Created attachment 573321 [details] mail2 User Agent: Mozilla/5.0 (Windows NT 6.0; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20111104165243 Steps to reproduce: Receiveing mails from several Accounts. Actual results: There are many Mailadresses in the subject line of the mail. They are only in the list of mails to see. These Mailadresses are unknown by the sender so I am wondering why they are there??? Expected results: Nothing
it's a malformed mime2-encoded subject line, I believe. We shouldn't run off the end of the buffer. Interestingly, this only happens in the thread pane, not the message pane, not sure why.
what does this have to do with sql injection?
David: when you say "run off the end" you mean there was a crash? Were we reading the buffer or writing?
(In reply to Daniel Veditz from comment #3) > David: when you say "run off the end" you mean there was a crash? Were we > reading the buffer or writing? No crash, but I see "iiiiiiiiiiii" at the end of the subject string in the thread pane, which is not there in the original source, which makes me think the mime 2 decoding code is reading past the end of the buffer (or not null terminating its result, I suppose). I haven't debugged it yet.
OK, I think the issue is that there's a continuation line after the subject header with just a tab on it, followed by an empty line, and while parsing the message subject, we seem to add a bit of garbage to the subject. This is in our parsing, before we mime decode the header. I'll look into it.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: sql injection in Subject → error parsing message subject with empty continuation line after it
Could this happen with headers other than the subject line?
Yes, pretty much any header would cause this, as long as it was the last header in the message, followed by a continuation line.
If this causes bug 707078 then this is topcrash
Assignee: dbienvenu → nobody
Severity: normal → critical
Component: General → Backend
Keywords: crash, topcrash
Product: Thunderbird → MailNews Core
QA Contact: general → backend
Summary: error parsing message subject with empty continuation line after it → error parsing message header (like subject) with empty continuation line after it
bug 707078 still marginally a topcrash, if you sum the various crash sigs
Assignee: nobody → dbienvenu
Makoto Kato, can you take a look at this?
geebee1970, do you have crash report IDs to go with this issue? see https://support.mozillamessaging.com/en-US/kb/mozilla-crash-reporter#w_viewing-crash-reports
This crash has been fixed by https://hg.mozilla.org/comm-central/rev/1c833d465ab7 The crasher message in comment #0 has been also checked in https://hg.mozilla.org/comm-central/rev/cc9bb408f84e
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 707078
You need to log in before you can comment on or make changes to this bug.