#47 Email Parsing strips \'s

closed-works-for-me
Compose (426)
6
2000-08-22
2000-08-20
Anonymous
No

When using \'s within the sig, or in a message compose, SquirrelMail ignores it unless you specify 2 \'s.
However, if you were to forward the email again, you have to make sure you add the extra \'s.

Discussion

  • If \'s get parsed, then you could possible run arbitrary code on the server as the web server.

    Will report exploit to bugtraq if you fix is posted within a week.

     
  • s/you/no
    "if no fix is posted"

     
  • Lewis Bergman
    Lewis Bergman
    2000-08-21

    Your bug has been assigned. How quick this is resolved depends on
    the severity and the probability that it might affect a large
    number of users. If you were logged in at the time of submission
    you wil be informed via email of this bugs status. If not, you
    may check back here to see how we are doing on it. Please
    remember your bug id number for quick reference.

    Thanks for your help!

     
  • Lewis Bergman
    Lewis Bergman
    2000-08-21

    • priority: 5 --> 6
    • assigned_to: nobody --> gpadgham
     
  • Gerrit Padgham
    Gerrit Padgham
    2000-08-21

    • status: open --> open-works-for-me
     
  • Gerrit Padgham
    Gerrit Padgham
    2000-08-21

    Please provide more detail about your IMAP server, operating
    system, Version of SquirrelMail, and the circumstances which
    produced the bug.

    Since we could not reproduce this problem, providing the same
    information will not help. Please be as specific as possible.
    Some problems may require taht we make a coding effort and then
    you try the new version to see the results. Thanks for your help.

     
  • Gerrit Padgham
    Gerrit Padgham
    2000-08-22

    • status: open-works-for-me --> closed-works-for-me
     
  • Gerrit Padgham
    Gerrit Padgham
    2000-08-22

    After large amounts of testing, I have decided that this is no longer an issue in the latest CVS. Please update to the latest version and let me know if you still have the problem.