You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@james.apache.org by GitBox <gi...@apache.org> on 2022/03/15 04:09:26 UTC

[GitHub] [james-project] chibenwa opened a new pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

chibenwa opened a new pull request #919:
URL: https://github.com/apache/james-project/pull/919


    - Race condition between the framing handler and the processing handler allows to leverage concurrency based man in the middle attacks allowing command injection.
    - Bad sanitizing of IMAP tags allow crafting an input that bypasses STARTTLS command detection


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa commented on pull request #919:
URL: https://github.com/apache/james-project/pull/919#issuecomment-1073574252


   Force pushed because of a rebase conflict


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa commented on pull request #919:
URL: https://github.com/apache/james-project/pull/919#issuecomment-1068752075


   ```
   org.apache.james.mpt.smtp.CassandraPulsarSmtpStarttlsCommandTest.starttlsShouldWork
   
   Error Message
   
   Condition with lambda expression in org.apache.james.mpt.session.ExternalSession was not fulfilled within 1 minutes.
   
   Stacktrace
   
   org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in org.apache.james.mpt.session.ExternalSession was not fulfilled within 1 minutes.
   
   Standard Output
   
   Connecting to localhost:38729
   <-220 Apache JAMES awesome SMTP Server
   -> ehlo yopmail.com
   <-250-asf944.gq1.ygridcore.net Hello yopmail.com [127.0.0.1])
   <-250-AUTH LOGIN PLAIN
   <-250-AUTH=LOGIN PLAIN
   <-250-PIPELINING
   <-250-ENHANCEDSTATUSCODES
   <-250-8BITMIME
   <-250 STARTTLS
   -> starttls
   closing
   
   Sounds related!
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa commented on pull request #919:
URL: https://github.com/apache/james-project/pull/919#issuecomment-1072286189


   I hereby propose an alternative implementation not requiring to turn off auto reads. 
   
   It looks like auto reads in Netty 3 is somehow plateform dependant: I could not reproduce the issues observed on the CI locally.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa commented on pull request #919:
URL: https://github.com/apache/james-project/pull/919#issuecomment-1074693815


   (Forced pushed to port this work to Netty4)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa commented on pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa commented on pull request #919:
URL: https://github.com/apache/james-project/pull/919#issuecomment-1072286189


   I hereby propose an alternative implementation not requiring to turn off auto reads. 
   
   It looks like auto reads in Netty 3 is somehow plateform dependant: I could not reproduce the issues observed on the CI locally.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org

[GitHub] [james-project] chibenwa merged pull request #919: JAMES-1862 Fix several issues with STARTTLS command injection detection

Posted by GitBox <gi...@apache.org>.

chibenwa merged pull request #919:
URL: https://github.com/apache/james-project/pull/919


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org