#1526 invalid img html tag causes logout


I opened #831550 and was directed to #829946. However
the fix stated in #829946 did not help (in fact I
always had session.use_trans_sid = 0 set). I have also
tried playing with the other session vars, but no joy.
I re-posted to sm-dev, but no response. Here is the
problem description again, hopefully someone can help:

If I get a HTML message with this line, I will be
logged out immediately after viewing it:


also the same happens with this simplified line:
<IMG src="cid:/snap.jpg">

I verified it by just adding the line into another HTML
message (editing the mail file manually with vim).

It does not seem to happen if you have the auto login
plugin installed and are using it (you have a saved
cookie). If I disable the autologin plugin the problem
happens every time.

SQ version 1.4.2, php-4.3.4 in fast-cgi mode,
apache-1.3.29 with mod_fastcgi, courier-imap-2.2.1

my e-mail: spam99@2thebatcave.com


  • Logged In: YES

    Please attach the mail as attachment and send it to
    marc@squirrelmail.org so I can take a look at it.

  • Logged In: YES

    I tried to reproduce this on SM 1.5.1 CVS and couldn't.

    As you already noticed, logouts takes place if a new session
    is started and that's what probably is happening in your
    case. The missing img src tage will resolve to the doc root
    of your www server and when there is a index.php file which
    redirects to src/login.php then you probably get logged out.
    But that's just a theory which can be tested by removing

    In the future we should remove the img tag completely if we
    cannot find a mime part with a matching cid.

    • priority: 5 --> 1
  • Chris Maden
    Chris Maden

    Logged In: YES

    I have exactly the same bug using SQ 1.4.3, php-4.3.4 on
    RH9. Any fix gratefully received - Thanks

    • assigned_to: nobody --> jangliss
  • Logged In: YES

    As requested by Marc, can somebody attach an example message
    so we are able to test. Unfortunately the only messages
    with cid: addresses in it that I have all seem to work fine.

  • Logged In: YES

    A fix for this has been put into CVS. It should be in the
    cvs snapshots tomorrow. Please check then, and see if this
    resolves your issue.

    • status: open --> closed
    • status: closed --> closed-fixed
  • Logged In: YES

    Cleaning up the tracker. I'm sure you fixed it Jon ;)

  • Logged In: NO