summaryrefslogtreecommitdiff
path: root/mailnews/imap/src
diff options
context:
space:
mode:
authorGaming4JC <g4jc@hyperbola.info>2020-06-09 23:37:32 -0400
committerGaming4JC <g4jc@hyperbola.info>2020-06-11 10:33:23 -0400
commit93f74227ba87816e3ddd72f974fd0c067f698562 (patch)
tree46977d3d35d0fc6cb0852888cb3c6f687e25ff3b /mailnews/imap/src
parent0955b34e67d3eceb0c5bed9eae26f2456dfb005f (diff)
downloaduxp-93f74227ba87816e3ddd72f974fd0c067f698562.tar.gz
Bug 1613623 - For IMAP, no longer allow STARTTLS when server sends PREAUTH greeting.
Tag #1312
Diffstat (limited to 'mailnews/imap/src')
-rw-r--r--mailnews/imap/src/nsImapProtocol.cpp54
1 files changed, 35 insertions, 19 deletions
diff --git a/mailnews/imap/src/nsImapProtocol.cpp b/mailnews/imap/src/nsImapProtocol.cpp
index 940d87cbd1..97e61a40ef 100644
--- a/mailnews/imap/src/nsImapProtocol.cpp
+++ b/mailnews/imap/src/nsImapProtocol.cpp
@@ -1526,28 +1526,44 @@ void nsImapProtocol::EstablishServerConnection()
}
else if (!PL_strncasecmp(serverResponse, ESC_PREAUTH, ESC_PREAUTH_LEN))
{
- // we've been pre-authenticated.
- // we can skip the whole password step, right into the
- // kAuthenticated state
- GetServerStateParser().PreauthSetAuthenticatedState();
+ // PREAUTH greeting received. We've been pre-authenticated by the server.
+ // We can skip sending a password and transition right into the
+ // kAuthenticated state; but we won't if the user has configured STARTTLS.
+ // (STARTTLS can only occur with the server in non-authenticated state.)
+ if (!(m_socketType == nsMsgSocketType::alwaysSTARTTLS ||
+ m_socketType == nsMsgSocketType::trySTARTTLS)) {
+ GetServerStateParser().PreauthSetAuthenticatedState();
- if (GetServerStateParser().GetCapabilityFlag() == kCapabilityUndefined)
- Capability();
+ if (GetServerStateParser().GetCapabilityFlag() == kCapabilityUndefined)
+ Capability();
- if ( !(GetServerStateParser().GetCapabilityFlag() &
- (kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other) ) )
- {
- // AlertUserEvent_UsingId(MK_MSG_IMAP_SERVER_NOT_IMAP4);
- SetConnectionStatus(NS_ERROR_FAILURE); // stop netlib
- }
- else
- {
- // let's record the user as authenticated.
- m_imapServerSink->SetUserAuthenticated(true);
+ if (!(GetServerStateParser().GetCapabilityFlag() &
+ (kIMAP4Capability | kIMAP4rev1Capability | kIMAP4other))) {
+ // AlertUserEventUsingId(MK_MSG_IMAP_SERVER_NOT_IMAP4);
+ SetConnectionStatus(NS_ERROR_FAILURE); // stop netlib
+ } else {
+ // let's record the user as authenticated.
+ m_imapServerSink->SetUserAuthenticated(true);
- ProcessAfterAuthenticated();
- // the connection was a success
- SetConnectionStatus(NS_OK);
+ ProcessAfterAuthenticated();
+ // the connection was a success
+ SetConnectionStatus(NS_OK);
+ }
+ } else {
+ // STARTTLS is configured so don't transition to authenticated state. Just
+ // alert the user, log the error and drop the connection. This may
+ // indicate a man-in-the middle attack if the user is not expecting
+ // PREAUTH. The user must change the connection security setting to other
+ // than STARTTLS to allow PREAUTH to be accepted on subsequent IMAP
+ // connections.
+ AlertUserEventUsingName("imapServerDisconnected");
+ const nsCString &hostName = GetImapHostName();
+ MOZ_LOG(
+ IMAP, LogLevel::Error,
+ ("PREAUTH received from IMAP server %s because STARTTLS selected. "
+ "Connection dropped",
+ hostName.get()));
+ SetConnectionStatus(NS_ERROR_FAILURE); // stop netlib
}
}