[ https://issues.apache.org/jira/browse/JAMES-4018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
René Cordier resolved JAMES-4018. --------------------------------- Resolution: Fixed https://github.com/apache/james-project/pull/2100 fixed that issue and was merged > RCPT TO parser differencial > --------------------------- > > Key: JAMES-4018 > URL: https://issues.apache.org/jira/browse/JAMES-4018 > Project: James Server > Issue Type: Bug > Components: SMTPServer > Reporter: Benoit Tellier > Priority: Major > Fix For: 3.9.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently a SMTP transaction parses RCPT parameters twice: > - in RcptCmdHandler::doFilterChecks for parameter validity checks > - in RcptCmdHandler::callHooks for actual calls of possible handlers > 1. it is wasteful? > 2. it clearly create a parser differencial as RcptCmdHandler::callHooks > includes the email address in the parameter parsing. > Valid email addresses like "anything> ORCPT=vic...@target.com "@carrier.com > would have no rcpt parameters as per doFilterChecks but have one as per > callHooks and thus could "trick" the unsuspecting email server to "inject" > RCPT parameters mid-transaction. > Can this be exploited in a real life attack? Not sure TBH. > h3. How it was detected > I spotted this weird log: > {code:java} > java.lang.IllegalArgumentException: Multiple entries with same key: ,= and ,= > at > com.google.common.collect.ImmutableMap.conflictException(ImmutableMap.java:378) > at > com.google.common.collect.ImmutableMap.checkNoConflict(ImmutableMap.java:372) > at > com.google.common.collect.RegularImmutableMap.checkNoConflictInKeyBucket(RegularImmutableMap.java:246) > at > com.google.common.collect.RegularImmutableMap.fromEntryArrayCheckingBucketOverflow(RegularImmutableMap.java:133) > at > com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:95) > at > com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:572) > at > com.google.common.collect.ImmutableMap$Builder.buildOrThrow(ImmutableMap.java:600) > at > com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:587) > at > org.apache.james.protocols.smtp.core.RcptCmdHandler.parseParameters(RcptCmdHandler.java:230) > at > org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:219) > at > org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:55) > at > org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.processHooks(AbstractHookableCmdHandler.java:117) > at > org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:75) > at > org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:50) > at > org.apache.james.protocols.api.handler.CommandDispatcher.dispatchCommandHandlers(CommandDispatcher.java:165) > at > org.apache.james.protocols.api.handler.CommandDispatcher.onLine(CommandDispatcher.java:142) > {code} > And reproduced it with: > {code:java} > RCPT TO: <"any> ,= ,= "@ccc.fr> > {code} > CF https://github.com/linagora/james-project/issues/5119 > h3. The fix > Like the email address use the smtp session parameters to cary over the > parameters from doFilterChecks to callHooks... -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org