#1526 invalid img html tag causes logout

closed-fixed
1
2005-02-18
2003-12-06
Anonymous
No

I opened #831550 and was directed to #829946. However
the fix stated in #829946 did not help (in fact I
always had session.use_trans_sid = 0 set). I have also
tried playing with the other session vars, but no joy.
I re-posted to sm-dev, but no response. Here is the
problem description again, hopefully someone can help:

If I get a HTML message with this line, I will be
logged out immediately after viewing it:

<IMG
src=3D"cid:{EE05590F-9334-4342-A794-DC56D5060022}/snap.jpg">

also the same happens with this simplified line:
<IMG src="cid:/snap.jpg">

I verified it by just adding the line into another HTML
message (editing the mail file manually with vim).

It does not seem to happen if you have the auto login
plugin installed and are using it (you have a saved
cookie). If I disable the autologin plugin the problem
happens every time.

SQ version 1.4.2, php-4.3.4 in fast-cgi mode,
apache-1.3.29 with mod_fastcgi, courier-imap-2.2.1

my e-mail: spam99@2thebatcave.com

Discussion

  • Logged In: YES
    user_id=476981

    Please attach the mail as attachment and send it to
    marc@squirrelmail.org so I can take a look at it.

     
  • Logged In: YES
    user_id=476981

    I tried to reproduce this on SM 1.5.1 CVS and couldn't.

    As you already noticed, logouts takes place if a new session
    is started and that's what probably is happening in your
    case. The missing img src tage will resolve to the doc root
    of your www server and when there is a index.php file which
    redirects to src/login.php then you probably get logged out.
    But that's just a theory which can be tested by removing
    index.php.

    In the future we should remove the img tag completely if we
    cannot find a mime part with a matching cid.

     
    • priority: 5 --> 1
     
  • Chris Maden
    Chris Maden
    2004-07-23

    Logged In: YES
    user_id=231018

    I have exactly the same bug using SQ 1.4.3, php-4.3.4 on
    RH9. Any fix gratefully received - Thanks

     
    • assigned_to: nobody --> jangliss
     
  • Logged In: YES
    user_id=620333

    As requested by Marc, can somebody attach an example message
    so we are able to test. Unfortunately the only messages
    with cid: addresses in it that I have all seem to work fine.

     
  • Logged In: YES
    user_id=620333

    A fix for this has been put into CVS. It should be in the
    cvs snapshots tomorrow. Please check then, and see if this
    resolves your issue.

     
    • status: open --> closed
     
    • status: closed --> closed-fixed
     
  • Logged In: YES
    user_id=476981

    Cleaning up the tracker. I'm sure you fixed it Jon ;)

     
  • Logged In: NO

    secret