#2762 404 on reload

pending-out-of-date
nobody
None
5
2011-08-27
2011-08-26
Cedric Knight
No

A user, who usually refreshes her inbox by clicking Refresh in Firefox (3.6.20 on Mac 10.6), reports a 404 error under certain circumstances, Clicking on "INBOX" usually fixes it. I haven't been able to reproduce exactly, but it appears to stem from code to recreate the right pane after an expired session. Apache logs show status codes and referrers:

"GET /src/webmail.php?right_frame=/src/right_main.php?mailbox=INBOX&sort=0&startMessage=1 HTTP/1.1" 200 272 "https://example.org/src/login.php"
"GET /src/left_main.php HTTP/1.1" 200 1456 "https://example.org/src/webmail.php?right_frame=/src/right_main.php?mailbox=INBOX&sort=0&startMessage=1"
"GET /src/%2Fsrc%2Fright_main.php%3Fmailbox%3DINBOX HTTP/1.1" 404
719 "https://example.org/src/webmail.php?right_frame=/src/right_main.php?mailbox=INBOX&sort=0&startMessage=1"

SquirrelMail 1.4.11. Attached patch removes the apparent cause, a surplus urlencode in the default case at the end of webmail.php. Possibly quotation marks should still be escaped.

Discussion

  • Cedric Knight
    Cedric Knight
    2011-08-26

    Remove unescape on SM1.4.11

     
    Attachments
  • Cedric Knight
    Cedric Knight
    2011-08-26

    bug 1685072 may be relevant.

     
  • Cedric Knight
    Cedric Knight
    2011-08-26

    User reports the fix works so far. More on the conditions precipitating it:
    "to give you a general idea of my use... my email IS my
    desktop - it is open ALWAYS, and I alternate between approximately 5 to 20
    tabs in firefox always - leaving the mailbox listing in this first tab,
    and opening tabs to check each mail and respond. So, yes, I leave it
    abandoned as I respond to the x mails I opened, then go back, and refresh.
    Could be 10 minutes, could be 2 hours. " Behaviour started a few weeks ago (the only conceivably relevant server change is openssl 0.9.8g to 0.9.8o) and there is no request from SquirrelMail to log in again.

     
  • Version 1.4.11 is many years old. Please upgrade to a new version and report if you still see this issue. (Note that there are many published security issues with version 1.4.11 - you are doing a disservice to your users by not upgrading and risking the security of your own systems.)

     
    • status: open --> pending-out-of-date
     
  • Cedric Knight
    Cedric Knight
    2011-08-27

    • status: pending-out-of-date --> open
     
  • Cedric Knight
    Cedric Knight
    2011-08-27

    Thanks for the reminder about 1.4.11. (We're in the process of applying site-specific hacks to a Debian squeeze 1.4.21-2 installation.)

    However, I can see the bug still exists in the code in the SM-1_4-STABLE branch. I will try to replicate on 1.4.21, but as I say, I haven't replicated the user's experience as yet anyway.

     
    • status: open --> pending-out-of-date
     
  • No, I believe you see that the code you changed is still the same in our repository, but it does not sound to me like you've tested it. There's plenty of code on the receiving end of the request being built there, and the handling of that URI may have changed. I can't reproduce this issue. If I could, I'd be happy to look in more detail and consider your patch. It'd be most helpful if you could test or help us reproduce against 1.4.22 or 1.4.23svn. Thanks.