[jira] [Created] (JAMES-4018) RCPT TO parser differencial

Sun, 10 Mar 2024 14:46:06 -0700 

Benoit Tellier created JAMES-4018:
-------------------------------------

             Summary: RCPT TO parser differencial
                 Key: JAMES-4018
                 URL: https://issues.apache.org/jira/browse/JAMES-4018
             Project: James Server
          Issue Type: Bug
          Components: SMTPServer
            Reporter: Benoit Tellier
             Fix For: 3.9.0


Currently a SMTP transaction parses RCPT parameters twice:

 - in RcptCmdHandler::doFilterChecks for parameter validity checks
 - in RcptCmdHandler::callHooks for actual calls of possible handlers

1. it is wasteful?
2. it clearly create a parser differencial as RcptCmdHandler::callHooks 
includes the email address in the parameter parsing.

Valid email addresses like "anything> ORCPT=vic...@target.com "@carrier.com 
would have no rcpt parameters as per doFilterChecks but have one as per 
callHooks and thus could "trick" the unsuspecting email server to "inject" RCPT 
parameters mid-transaction. 

Can this be exploited in a real life attack? Not sure TBH. 

h3. How it was detected

I spotted this weird log:

{code:java}
java.lang.IllegalArgumentException: Multiple entries with same key: ,= and ,=
        at 
com.google.common.collect.ImmutableMap.conflictException(ImmutableMap.java:378)
        at 
com.google.common.collect.ImmutableMap.checkNoConflict(ImmutableMap.java:372)
        at 
com.google.common.collect.RegularImmutableMap.checkNoConflictInKeyBucket(RegularImmutableMap.java:246)
        at 
com.google.common.collect.RegularImmutableMap.fromEntryArrayCheckingBucketOverflow(RegularImmutableMap.java:133)
        at 
com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:95)
        at 
com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:572)
        at 
com.google.common.collect.ImmutableMap$Builder.buildOrThrow(ImmutableMap.java:600)
        at 
com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:587)
        at 
org.apache.james.protocols.smtp.core.RcptCmdHandler.parseParameters(RcptCmdHandler.java:230)
        at 
org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:219)
        at 
org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:55)
        at 
org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.processHooks(AbstractHookableCmdHandler.java:117)
        at 
org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:75)
        at 
org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:50)
        at 
org.apache.james.protocols.api.handler.CommandDispatcher.dispatchCommandHandlers(CommandDispatcher.java:165)
        at 
org.apache.james.protocols.api.handler.CommandDispatcher.onLine(CommandDispatcher.java:142)
{code}

And reproduced it with:

{code:java}

{code}

CF https://github.com/linagora/james-project/issues/5119

h3. The fix

Like the email address use the smtp session parameters to cary over the 
parameters from doFilterChecks to callHooks...




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to