Benoit Tellier created JAMES-4018: ------------------------------------- Summary: RCPT TO parser differencial Key: JAMES-4018 URL: https://issues.apache.org/jira/browse/JAMES-4018 Project: James Server Issue Type: Bug Components: SMTPServer Reporter: Benoit Tellier Fix For: 3.9.0
Currently a SMTP transaction parses RCPT parameters twice: - in RcptCmdHandler::doFilterChecks for parameter validity checks - in RcptCmdHandler::callHooks for actual calls of possible handlers 1. it is wasteful? 2. it clearly create a parser differencial as RcptCmdHandler::callHooks includes the email address in the parameter parsing. Valid email addresses like "anything> ORCPT=vic...@target.com "@carrier.com would have no rcpt parameters as per doFilterChecks but have one as per callHooks and thus could "trick" the unsuspecting email server to "inject" RCPT parameters mid-transaction. Can this be exploited in a real life attack? Not sure TBH. h3. How it was detected I spotted this weird log: {code:java} java.lang.IllegalArgumentException: Multiple entries with same key: ,= and ,= at com.google.common.collect.ImmutableMap.conflictException(ImmutableMap.java:378) at com.google.common.collect.ImmutableMap.checkNoConflict(ImmutableMap.java:372) at com.google.common.collect.RegularImmutableMap.checkNoConflictInKeyBucket(RegularImmutableMap.java:246) at com.google.common.collect.RegularImmutableMap.fromEntryArrayCheckingBucketOverflow(RegularImmutableMap.java:133) at com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:95) at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:572) at com.google.common.collect.ImmutableMap$Builder.buildOrThrow(ImmutableMap.java:600) at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:587) at org.apache.james.protocols.smtp.core.RcptCmdHandler.parseParameters(RcptCmdHandler.java:230) at org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:219) at org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:55) at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.processHooks(AbstractHookableCmdHandler.java:117) at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:75) at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:50) at org.apache.james.protocols.api.handler.CommandDispatcher.dispatchCommandHandlers(CommandDispatcher.java:165) at org.apache.james.protocols.api.handler.CommandDispatcher.onLine(CommandDispatcher.java:142) {code} And reproduced it with: {code:java} {code} CF https://github.com/linagora/james-project/issues/5119 h3. The fix Like the email address use the smtp session parameters to cary over the parameters from doFilterChecks to callHooks... -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org