Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JAMES-1862 Generalize STARTTLS sanitizing fix #589

Merged
merged 5 commits into from
Aug 29, 2021
Merged

JAMES-1862 Generalize STARTTLS sanitizing fix #589

merged 5 commits into from
Aug 29, 2021

Conversation

chibenwa
Copy link
Contributor

@chibenwa chibenwa commented Aug 11, 2021
edited

All line based protocols are subject to command injections for "man in the middle"
attacks. We hereby generalize the SMTP fix.

Note that we slightly modified the behaviour to bypass this sanitizing as soon as the users
are authenticated: indeed authentication happens for sure after STARTTLS upgrades.

TODO:

  • Write a test suite for POP3
  • Write a test suite for IMAP
  • Tests for session fixation

@chibenwa chibenwa self-assigned this Aug 11, 2021
@chibenwa chibenwa marked this pull request as ready for review August 12, 2021 13:24
@chibenwa
JAMES-1862 Generalize STARTTLS sanitizing fix
6263d87 
All line based protocols are subject to command injections for "man in the middle"
attacks. We hereby generalize the SMTP fix.

Note that we slightly modified the behaviour to bypass this sanitizing as soon as the users
are authenticated: indeed authentication happens for sure after STARTTLS upgrades.
@chibenwa
JAMES-1862 Refactor POP3 to load configuration from a file
4972594
@chibenwa
JAMES-1862 IMAP unit tests for STARTTLS command sanitizing
42959b2
@chibenwa
Copy link
Contributor Author

Force pushed to solve conflict...

@chibenwa
Copy link
Contributor Author 

Test Result (2 failures / +2)

    org.apache.james.pop3server.POP3ServerTest$StartTlsSanitizing.connectionAreClosedWhenSTLSFollowedByText
    org.apache.james.pop3server.POP3ServerTest$StartTlsSanitizing.connectionAreClosedWhenSTLSFollowedByACommand

Looks related. I will have a look.

@chibenwa
JAMES-1862 POP3 unit tests for STARTTLS command sanitizing
66c835e
@chibenwa
JAMES-1862 Prevent Session fixation via STARTTLS
cbb114f 
https://www.usenix.org/system/files/sec21-poddebniak.pdf Session 6.2

James allows session fixation as part of the SMTP protocol but as
stated by the researchers, 'they did not come up with exploits'.
@chibenwa chibenwa merged commit f06bff8 into apache:master Aug 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arsnael Arsnael Arsnael approved these changes

Assignees

@chibenwa chibenwa

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@chibenwa @Arsnael