search

thunderbird / thunderbird-android

Thunderbird for Android – Open Source Email App for Android (fka K-9 Mail)
https://thunderbird.net/
Apache License 2.0
10.47k stars 2.49k forks source link

SMTP injection via email address #2598

Open gsauthof opened 7 years ago

gsauthof commented 7 years ago

K9 permits the injection of control characters into email addresses such that the SMTP session breaks and the outgoing email is lost.

Expected behavior

  1. Display of the complete server error message via a notification
  2. Store the not-yet-send email message in the outbox or draft directory for inspection and fixing.

Or ideally:

Sanitize the email address that is retrieved via 'Add from Contacts'. Especially remove leading/trailing control characters like newline or carriage-return. Otherwise detect characters that are invalid in email addresses and don't insert them verbatim into a SMTP session.

Actual behavior

  1. K9 just displays a truncated server error message.
  2. K9 drops the problematic email message. That means the content of a potentially long and important email is lost.

K9 inserts an email address with invalid characters verbatim into a SMTP session.

K9 stacktrace from adb logcat:

06-20 22:44:45.639 18226 18272 E k9      : Failed to send message
06-20 22:44:45.639 18226 18272 E k9      : com.fsck.k9.mail.transport.SmtpTransport$NegativeSmtpReplyException: Negative SMTP reply: 501 5.1.3 Bad recipient address syntax
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.mail.transport.SmtpTransport.checkLine(SmtpTransport.java:639)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:680)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.mail.transport.SmtpTransport.executeSimpleCommand(SmtpTransport.java:644)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.mail.transport.SmtpTransport.sendMessageTo(SmtpTransport.java:523)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.mail.transport.SmtpTransport.sendMessage(SmtpTransport.java:496)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController.sendPendingMessagesSynchronous(MessagingController.java:3014)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController.access$1700(MessagingController.java:115)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController$21.run(MessagingController.java:2895)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController.runInBackground(MessagingController.java:204)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController.access$000(MessagingController.java:115)
06-20 22:44:45.639 18226 18272 E k9      :      at com.fsck.k9.controller.MessagingController$1.run(MessagingController.java:173)
06-20 22:44:45.639 18226 18272 E k9      :      at java.lang.Thread.run(Thread.java:761)

Truncated K9 notification text (really is truncated, can't be expanded):

Failed to send some messages
Negative SMTP reply: 501 5.1.3 Bad recipient address synt..

Snippet from verbose postfix log:

Jun 20 23:08:32 example.com postfix/smtpd[9010]: < client.example.net: RCPT TO:<juser@example.org
Jun 20 23:08:32 example.com postfix/smtpd[9010]: > client.example.net: 501 5.1.3 Bad recipient address syntax

Note how the closing > character is missing after the email address, because the email-address plus newline characters is inserted as-is into the SMTP session.

Steps to reproduce

  1. Create a contact with an email address that ends with a newline character (i.e. 0xa), e.g.:
  2. Create a QR code on a computer: echo juser@example.org | qrcode (the QR code contains a trailing newline character)
  3. Scan it on android with the ZXing Barcode Scanner app (which automatically copies it into the clipboard - including the trailing newline)
  4. Create a new contact in the contact app
  5. Paste the email address into the contact (the trailing newline character is pasted, as well)
  6. Save the contact
  7. Start K9
  8. Compose new email
  9. Select recipient with problematic email address via 'Add from Contacts'
  10. Send the mail (ideally with postfix as outgoing SMTP server)

Environment

K-9 Mail version: 5.206

Android version: LineageOS 14.1 (Android 7.1.2)

Account type (IMAP, POP3, WebDAV/Exchange): IMAP+SMTP

Postfix Version: 2.10.1

philipwhiuk commented 7 years ago

[[:cntrl:]] is probably the right regex. Where do you think we should apply this @cketti ?