Summary | Message option "Show All Headers" causes error |
Queue | IMP |
Queue Version | 4.3.3 |
Type | Bug |
State | Resolved |
Priority | 2. Medium |
Owners | Horde Developers (at) , slusarz (at) horde (dot) org |
Requester | mtecles (at) biof (dot) ufrj (dot) br |
Created | 02/01/2009 (5999 days ago) |
Due | |
Updated | 01/12/2010 (5654 days ago) |
Assigned | 02/17/2009 (5983 days ago) |
Resolved | 02/23/2009 (5977 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
Bug #7926: Fix URL escapinghttp://git.horde.org/diff.php/imp/message.php?rt=horde-git&r1=bd397c0db622da9eeb9859ce9c112dca19d3a4b2&r2=0f7499464586494165c1ebae472bf1b812c83c4d
Bug #7926: Fix [un]escaping of URLshttp://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde-git&r1=a97cf3d0875a23ab5e05aee1f7b13793d4f7a4a0&r2=5f9f6c660f8576cd79308caabcca45bf5eed9f6e
http://git.horde.org/diff.php/imp/pgp.php?rt=horde-git&r1=d06f5dbc9d3a8328b25ce2f866ab6b5fedcb66b9&r2=5f9f6c660f8576cd79308caabcca45bf5eed9f6e
http://git.horde.org/diff.php/imp/smime.php?rt=horde-git&r1=d06f5dbc9d3a8328b25ce2f866ab6b5fedcb66b9&r2=5f9f6c660f8576cd79308caabcca45bf5eed9f6e
Bug #7926: Make sure we decode before re-encoding.http://git.horde.org/diff.php/imp/pgp.php?rt=horde-git&r1=ee6ff322e0a8a5aa91dbffd0bda962ce51427d03&r2=7ed72077f83a9ecb54f92e92afb2aff87b40a414
http://git.horde.org/diff.php/imp/smime.php?rt=horde-git&r1=ee6ff322e0a8a5aa91dbffd0bda962ce51427d03&r2=7ed72077f83a9ecb54f92e92afb2aff87b40a414
pasted, so something's manipulating it and subsequently going nutz.
screen. Here's the URL:
http://bugs.horde.org/h/services/download/?module=whups&actionID=download_file&file=imp_bug7926.patch&ticket=7926&fn=%2Fimp_bug7926.patch
BTW, the first time I submitted this reply, I got the following error:
Fatal error: Uncaught exception 'Horde_Mime_Exception' with message
'Validation failed for: amg1127@cefetrs.tche.br <@>' in
/var/www/dev.horde.org/horde-git/framework/Mime/lib/Horde/Mime/Address.php:390
Stack trace: #0
/var/www/dev.horde.org/horde/whups/lib/Driver.php(443):
Horde_Mime_Address::parseAddressList('amg1127@cefetrs...')
#1/var/www/dev.horde.org/horde/whups/lib/Ticket.php(791):
Whups_Driver->mail('7926', Array, 'Re: Message opt...', 'DO NOT REPLY
TO...', '-53650_transact...', false, '32', false)
#2/var/www/dev.horde.org/horde/whups/lib/Ticket.php(416):
Whups_Ticket->notify('-53650_transact...', false)
#3/var/www/dev.horde.org/horde/whups/ticket/comment.php(66):
Whups_Ticket->commit()
#4{main} thrown in/var/www/dev.horde.org/horde-git/framework/Mime/lib/Horde/Mime/Address.php on
line 390
thanks!
can all be found in this ticket, however.
blank screen. Here's the URL:
http://bugs.horde.org/h/services/download/?module=whups&actionID=download_file&file=imp_bug7926.patch&ticket=7926&fn=%2Fimp_bug7926.patch
thanks!
can all be found in this ticket, however.
bug 7926...VoilĂ ...
Ivan
New Attachment: imp_bug7926.patch
bug 7926...VoilĂ ...
Ivan
thanks!
all be found in this ticket, however.
thanks!
thanks!
code or potential future code? Because for current code, the only
reason the html-entity detection (&) detection is in there is to
allow successive calls to Util::addParameter() rather than any kind
of security checking.
if you expect URLs to be encoded, but based on user input, they might
not be, that's a problem.
through potentially unencoded data, but we also have this encoding
detection that tries to see if a URL is already html-entity encoded.
Do you see any way to reconcile that?
or potential future code? Because for current code, the only reason
the html-entity detection (&) detection is in there is to allow
successive calls to Util::addParameter() rather than any kind of
security checking.
Priority ⇒ 2. Medium
State ⇒ Feedback
Taken from Chuck Hagenbuch
through potentially unencoded data, but we also have this encoding
detection that tries to see if a URL is already html-entity encoded.
Do you see any way to reconcile that?
superfluous one in an URL and it will skip the htmlentities() call.
http://cvs.horde.org/co.php/framework/View/lib/Horde/View/Helper/Url.php?r=ccfd50278baa306abee1acd1b310a168f8ae4925) would
work
instead?
theoretically, we really shouldn't be "fixing" double escaped
parameters when parsing a URL from form data. If double escaped
parameters exist at that point, either the generating code is broken
and should be fixed or something fishy is occurring. It might be best
to ignore those URLs completely and throw an exception or error rather
than trying to magically fix it.
http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.60&r2=2.560.4.61&ty=u
superfluous one in an URL and it will skip the htmlentities() call.
http://cvs.horde.org/co.php/framework/View/lib/Horde/View/Helper/Url.php?r=ccfd50278baa306abee1acd1b310a168f8ae4925) would work
instead?
http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.380&r2=1.699.2.381&ty=u
http://cvs.horde.org/diff.php/imp/lib/Crypt/PGP.php?rt=horde&r1=1.90.2.23&r2=1.90.2.24&ty=u
http://cvs.horde.org/diff.php/imp/lib/Crypt/SMIME.php?rt=horde&r1=1.45.2.23&r2=1.45.2.24&ty=u
http://cvs.horde.org/diff.php/imp/pgp.php?rt=horde&r1=2.79.6.20&r2=2.79.6.21&ty=u
http://cvs.horde.org/diff.php/imp/smime.php?rt=horde&r1=2.48.4.15&r2=2.48.4.16&ty=u
unfortunately the pgp issue isn't fixed. I still get the same
behaviour. you'd like to have additional infos?
State ⇒ Feedback
superfluous one in an URL and it will skip the htmlentities() call.
So, instead use the same html_entity_decode/htmlspecialchars trick
that we do in pgp.php and smime.php. Quick tests done tonigh seems to
indicate that it is working.
http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.59&r2=2.560.4.60&ty=u
Priority ⇒ 3. High
http://cvs.horde.org/diff.php/imp/pgp.php?rt=horde&r1=2.79.6.19&r2=2.79.6.20&ty=u
http://cvs.horde.org/diff.php/imp/smime.php?rt=horde&r1=2.48.4.14&r2=2.48.4.15&ty=u
bug #6834for mention of a similar issue in pgp.php and smime.php fromthe same set of escaping changes.
to false; in selfUrl, Horde::url() is called with $full = false; and
the URL will necessarily have '&' param separators, instead of '&'
separators so htmlentities() will be called on the generated URL at
the bottom of url(). Thus, anything appearing in the URL will/should
be escaped.
at Horde::url(), at the very bottom of the function, couldn't you
trick it into not encoding the URL by passing & for one parameter,
and raw data in another?
htmlspecialchars(html_entity_decode(Util::getFormData('reload')))
instead of htmlspecialchars(Util::getFormData('reload')) (we use the
former elsewhere in that file). Looks like we aren't doing the
html_entity_decode() call in pgp.php in either place we are
processing 'reload' form data, so we should probably be doing that.
Horde::selfUrl() can contain raw query parameters, so those need to
be escaped somewhere along the way. I didn't see that happening
already, but if it is, then yes, the commits are irrelevant (and
incorrect).
to false; in selfUrl, Horde::url() is called with $full = false; and
the URL will necessarily have '&' param separators, instead of '&'
separators so htmlentities() will be called on the generated URL at
the bottom of url(). Thus, anything appearing in the URL will/should
be escaped.
As for smime.php, we should probably use
htmlspecialchars(html_entity_decode(Util::getFormData('reload')))
instead of htmlspecialchars(Util::getFormData('reload')) (we use the
former elsewhere in that file). Looks like we aren't doing the
html_entity_decode() call in pgp.php in either place we are processing
'reload' form data, so we should probably be doing that.
Does any of this sound sane/rational/correct?
can contain raw query parameters, so those need to be escaped
somewhere along the way. I didn't see that happening already, but if
it is, then yes, the commits are irrelevant (and incorrect).
happening in the Util::removeParameter() call not correctly
determining whether the url is already encoded.
htmlencoded and the & separator is also htmlencoded. Then, for some
reason, we are calling htmlspecialchars() again when injecting into
the template object.
So I guess I don't understand what this commit is trying to protect against:
-----
fix some unescaped output
Revision Changes Path
1.699.2.375 +2 -0 imp/docs/CHANGES
2.560.4.58 +6 -6 imp/message.php
2.79.6.19 +3 -3 imp/pgp.php
2.48.4.14 +3 -3 imp/smime.php
Chora Links:
http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.374&r2=1.699.2.375&ty=u
http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.57&r2=2.560.4.58&ty=u
http://cvs.horde.org/diff.php/imp/pgp.php?rt=horde&r1=2.79.6.18&r2=2.79.6.19&ty=u
http://cvs.horde.org/diff.php/imp/smime.php?rt=horde&r1=2.48.4.13&r2=2.48.4.14&ty=u
-----
Removing those htmlspecialchars() calls fixes things. This is *not*
the false positive security vulnerability that Gunnar reported
(QUERY_STRING data is irrelevant for purposes of Horde_Template
evaluation).
Sorry if I didn't catch this previously - I've been up in the
mountains a bunch the past few weeks and haven't had a bunch of time
to peruse list traffic.
happening in the Util::removeParameter() call not correctly
determining whether the url is already encoded.
Assigned to Michael Slusarz
Assigned to
State ⇒ Assigned
Priority ⇒ 1. Low
State ⇒ Unconfirmed
New Attachment: Re___horde__problem_with_showing_the_mail-headers.eml
Patch ⇒ No
Milestone ⇒
Queue ⇒ IMP
Type ⇒ Bug
Summary ⇒ Message option "Show All Headers" causes error
upgraded IMP to 4.3.3. Opening a message, clicking "Show All Headers"
it falls back to INBOX with the error "Requested message not found.".