8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
dominix
Posts: 31
Joined: Sat Sep 13, 2014 1:07 am
Location: Pacific sud
ZCS/ZD Version: 7.2.7 ... 8.8.12
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby dominix » Wed Jun 26, 2019 8:07 pm



This one work if I use a complete clean browser after the fix (and a "zmmailboxctl restart"). But doesn't it I use a browser that has been exposed to the previous js version.
there may be some deep cleaning to be done like empty cache and so on.


User avatar
juliano.morona
Posts: 6
Joined: Fri May 12, 2017 4:58 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby juliano.morona » Wed Jun 26, 2019 9:14 pm

dominix wrote:


This one work if I use a complete clean browser after the fix (and a "zmmailboxctl restart"). But doesn't it I use a browser that has been exposed to the previous js version.
there may be some deep cleaning to be done like empty cache and so on.


I tested again unsuccessfully, using Chrome and Firefox with a clean cache, in anonymous mode and also with a clean installation. :o

What I realized is that the alternation between "format as html", "format as plain text txt" and "format as html" in the answer solved the problem for that email.
mgarbin
Posts: 5
Joined: Wed Jun 26, 2019 11:00 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby mgarbin » Thu Jun 27, 2019 8:17 am

The patch probably work but only if you pass your zimbra in dev mode ( at end of zimbra link add &dev=1 ) .
The problem is that you need to recompile all the web interface, this is needed because in non dev mode you are using the compressed and unified file in /opt/zimbra/jetty/webapps/zimbra/js/*.zgz and only in dev mode you are using the javascript inside /opt/zimbra/jetty/webapps/js/zimbraMail javascript .

Solution : learn to recompile the web interface or wait for a patch or new zimbra version ;)
toslan
Posts: 3
Joined: Tue Jun 25, 2019 12:01 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby toslan » Thu Jun 27, 2019 9:49 am


Finally I got it working. Here is the workaround.
/opt/zimbra/jetty_base/webapps/zimbra/js/zimbraMail/mail/model/ZmMailMsg.js - is not the only file containing interesting code. Find all of them in jetty_base directory:

Code: Select all

grep -rwl "cid=cid.replace" /opt/zimbra/jetty_base

You will see some more files. In my case:
    /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
    /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
Replace
cid=cid.replace(/@zimbra/g, "@zimbra");
with
cid=cid.replace(/@/g, "@");
in all of them
Remove gzipped versions of changed files: MailCore_all.js.zgz and NewWindow_2_all.js.zgz (or better rename them for safety reason)
Then rebuild them with gzip:

Code: Select all

gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js

Clear browser cache and voila - the bug is gone!
Remember to keep the copies of all changing files - just in case !!!
User avatar
oetiker
Advanced member
Advanced member
Posts: 160
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby oetiker » Thu Jun 27, 2019 10:09 am

Hi

thanks for the debug approach ....

I can verify it is working in my server... important is, to remove all caches on the browser...

great job

manuel
Last edited by oetiker on Thu Jun 27, 2019 11:33 am, edited 1 time in total.
phoenix
Ambassador
Ambassador
Posts: 26341
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby phoenix » Thu Jun 27, 2019 10:26 am

toslan wrote:

Finally I got it working. Here is the workaround.
/opt/zimbra/jetty_base/webapps/zimbra/js/zimbraMail/mail/model/ZmMailMsg.js - is not the only file containing interesting code. Find all of them in jetty_base directory:

Code: Select all

grep -rwl "cid=cid.replace" /opt/zimbra/jetty_base

You will see some more files. In my case:
    /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
    /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
Replace
cid=cid.replace(/@zimbra/g, "@zimbra");
with
cid=cid.replace(/@/g, "@");
in all of them
Remove gzipped versions of changed files: MailCore_all.js.zgz and NewWindow_2_all.js.zgz (or better rename them for safety reason)
Then rebuild them with gzip:

Code: Select all

gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js

Clear browser cache and voila - the bug is gone!
Remember to keep the copies of all changing files - just in case !!!
Thanks for posting the fix,it appears to be working a treat for me. :D

Code: Select all

zmcontrol -v
Release 8.8.12_GA_3794.RHEL7_64_20190329045002 RHEL7_64 FOSS edition, Patch 8.8.12_P3.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
andrey.ivanov
Posts: 48
Joined: Wed Aug 08, 2018 8:44 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby andrey.ivanov » Thu Jun 27, 2019 11:58 am

An easier workaround from Zimbra support :

Code: Select all

As a workaround please do the following on all mailbox servers
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart

It did help me. Unfortunately it means that their new owasp sanitizing framework is disabled (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3). But it fixes both attachments and printing problems, i. e. it fixes both cases :
"Case 00850083 Upgrade from 8.8.12_P2 to 8.8.12_P3 breaks printing inline images"
"Case 00849909 Infinite attachement since 8.8.12P3 in mail window"


It also fixed some broken html messages in web client.

It corresponds to the following commit in the git : https://github.com/Zimbra/zm-mailbox/co ... ae79c9272a
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2046
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby L. Mark Stone » Thu Jun 27, 2019 12:52 pm

andrey.ivanov wrote:An easier workaround from Zimbra support :

Code: Select all

As a workaround please do the following on all mailbox servers
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart

It did help me. Unfortunately it means that their new owasp sanitizing framework is disabled (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3). But it fixes both attachments and printing problems, i. e. it fixes both cases :
"Case 00850083 Upgrade from 8.8.12_P2 to 8.8.12_P3 breaks printing inline images"
"Case 00849909 Infinite attachement since 8.8.12P3 in mail window"


It also fixed some broken html messages in web client.

It corresponds to the following commit in the git : https://github.com/Zimbra/zm-mailbox/co ... ae79c9272a


As I understand it, the OWASP Sanitizer protects against cross site scripting attacks, including third-party javascript malware embedded in an otherwise normal looking email.

Not sure it's a good idea to disable that kind of protection for most users, even for a bug as incredibly annoying as this one.

I would be less concerned if Zimbra Support indicated that changing that localconfig value merely caused Zimbra to use the old sanitizer, as opposed to removing html sanitization entirely.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
oetiker
Advanced member
Advanced member
Posts: 160
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 8.8.12.GA.3794.UBUNTU16.64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby oetiker » Thu Jun 27, 2019 1:00 pm

As I understand it, the OWASP Sanitizer protects against cross site scripting attacks, including third-party javascript malware embedded in an otherwise normal looking email.

Not sure it's a good idea to disable that kind of protection for most users, even for a bug as incredibly annoying as this one.

I would be less concerned if Zimbra Support indicated that changing that localconfig value merely caused Zimbra to use the old sanitizer, as opposed to removing html sanitization entirely.

All the best,
Mark


that was the answer of the zimbra supporter:

Hello Manuel,

The command looks like OWASP gets disabled is there not a security risk?
=>No it's not a security risk, OWASP module was introduced in ZCS 8.8.12 p2 which was causing this issue so we disabled it.

Thanks & Regards,
Nagesh Bhagwat
Zimbra | A SYNACOR PRODUCT
Manager Assistance: zimbra-escalation@synacor.com
Inglebard
Posts: 14
Joined: Fri Jul 20, 2018 9:18 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Postby Inglebard » Thu Jun 27, 2019 1:55 pm



It is exactly the same patch I post on this thread 2 week ago.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 5 guests