8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
dominix
Advanced member
Advanced member
Posts: 51
Joined: Sat Sep 13, 2014 1:07 am
Location: Pacific sud
ZCS/ZD Version: 7.2.7 ... 8.8.15 ... 9.0.0

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by dominix »

This one work if I use a complete clean browser after the fix (and a "zmmailboxctl restart"). But doesn't it I use a browser that has been exposed to the previous js version.
there may be some deep cleaning to be done like empty cache and so on.
User avatar
juliano.morona
Posts: 11
Joined: Fri May 12, 2017 4:58 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by juliano.morona »

dominix wrote:
This one work if I use a complete clean browser after the fix (and a "zmmailboxctl restart"). But doesn't it I use a browser that has been exposed to the previous js version.
there may be some deep cleaning to be done like empty cache and so on.
I tested again unsuccessfully, using Chrome and Firefox with a clean cache, in anonymous mode and also with a clean installation. :o

What I realized is that the alternation between "format as html", "format as plain text txt" and "format as html" in the answer solved the problem for that email.
mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by mgarbin »

The patch probably work but only if you pass your zimbra in dev mode ( at end of zimbra link add &dev=1 ) .
The problem is that you need to recompile all the web interface, this is needed because in non dev mode you are using the compressed and unified file in /opt/zimbra/jetty/webapps/zimbra/js/*.zgz and only in dev mode you are using the javascript inside /opt/zimbra/jetty/webapps/js/zimbraMail javascript .

Solution : learn to recompile the web interface or wait for a patch or new zimbra version ;)
toslan
Posts: 3
Joined: Tue Jun 25, 2019 12:01 pm

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by toslan »

Finally I got it working. Here is the workaround.
/opt/zimbra/jetty_base/webapps/zimbra/js/zimbraMail/mail/model/ZmMailMsg.js - is not the only file containing interesting code. Find all of them in jetty_base directory:

Code: Select all

grep -rwl "cid=cid.replace" /opt/zimbra/jetty_base
You will see some more files. In my case:
  • /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
    /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
Replace
cid=cid.replace(/@zimbra/g, "@zimbra");
with
cid=cid.replace(/@/g, "@");
in all of them
Remove gzipped versions of changed files: MailCore_all.js.zgz and NewWindow_2_all.js.zgz (or better rename them for safety reason)
Then rebuild them with gzip:

Code: Select all

gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
Clear browser cache and voila - the bug is gone!
Remember to keep the copies of all changing files - just in case !!!
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 275
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.0.6.GA.4518.UBUNTU20_64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by oetiker »

Hi

thanks for the debug approach ....

I can verify it is working in my server... important is, to remove all caches on the browser...

great job

manuel
Last edited by oetiker on Thu Jun 27, 2019 11:33 am, edited 1 time in total.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by phoenix »

toslan wrote:
Finally I got it working. Here is the workaround.
/opt/zimbra/jetty_base/webapps/zimbra/js/zimbraMail/mail/model/ZmMailMsg.js - is not the only file containing interesting code. Find all of them in jetty_base directory:

Code: Select all

grep -rwl "cid=cid.replace" /opt/zimbra/jetty_base
You will see some more files. In my case:
  • /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
    /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
Replace
cid=cid.replace(/@zimbra/g, "@zimbra");
with
cid=cid.replace(/@/g, "@");
in all of them
Remove gzipped versions of changed files: MailCore_all.js.zgz and NewWindow_2_all.js.zgz (or better rename them for safety reason)
Then rebuild them with gzip:

Code: Select all

gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/MailCore_all.js
gzip -k -S .zgz /opt/zimbra/jetty_base/webapps/zimbra/js/NewWindow_2_all.js
Clear browser cache and voila - the bug is gone!
Remember to keep the copies of all changing files - just in case !!!
Thanks for posting the fix,it appears to be working a treat for me. :D

Code: Select all

zmcontrol -v
Release 8.8.12_GA_3794.RHEL7_64_20190329045002 RHEL7_64 FOSS edition, Patch 8.8.12_P3.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
andrey.ivanov
Advanced member
Advanced member
Posts: 50
Joined: Wed Aug 08, 2018 8:44 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by andrey.ivanov »

An easier workaround from Zimbra support :

Code: Select all

As a workaround please do the following on all mailbox servers
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
It did help me. Unfortunately it means that their new owasp sanitizing framework is disabled (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3). But it fixes both attachments and printing problems, i. e. it fixes both cases :
"Case 00850083 Upgrade from 8.8.12_P2 to 8.8.12_P3 breaks printing inline images"
"Case 00849909 Infinite attachement since 8.8.12P3 in mail window"


It also fixed some broken html messages in web client.

It corresponds to the following commit in the git : https://github.com/Zimbra/zm-mailbox/co ... ae79c9272a
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by L. Mark Stone »

andrey.ivanov wrote:An easier workaround from Zimbra support :

Code: Select all

As a workaround please do the following on all mailbox servers
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
It did help me. Unfortunately it means that their new owasp sanitizing framework is disabled (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3). But it fixes both attachments and printing problems, i. e. it fixes both cases :
"Case 00850083 Upgrade from 8.8.12_P2 to 8.8.12_P3 breaks printing inline images"
"Case 00849909 Infinite attachement since 8.8.12P3 in mail window"


It also fixed some broken html messages in web client.

It corresponds to the following commit in the git : https://github.com/Zimbra/zm-mailbox/co ... ae79c9272a
As I understand it, the OWASP Sanitizer protects against cross site scripting attacks, including third-party javascript malware embedded in an otherwise normal looking email.

Not sure it's a good idea to disable that kind of protection for most users, even for a bug as incredibly annoying as this one.

I would be less concerned if Zimbra Support indicated that changing that localconfig value merely caused Zimbra to use the old sanitizer, as opposed to removing html sanitization entirely.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
oetiker
Outstanding Member
Outstanding Member
Posts: 275
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 10.0.6.GA.4518.UBUNTU20_64
Contact:

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by oetiker »

As I understand it, the OWASP Sanitizer protects against cross site scripting attacks, including third-party javascript malware embedded in an otherwise normal looking email.

Not sure it's a good idea to disable that kind of protection for most users, even for a bug as incredibly annoying as this one.

I would be less concerned if Zimbra Support indicated that changing that localconfig value merely caused Zimbra to use the old sanitizer, as opposed to removing html sanitization entirely.

All the best,
Mark
that was the answer of the zimbra supporter:

Hello Manuel,

The command looks like OWASP gets disabled is there not a security risk?
=>No it's not a security risk, OWASP module was introduced in ZCS 8.8.12 p2 which was causing this issue so we disabled it.

Thanks & Regards,
Nagesh Bhagwat
Zimbra | A SYNACOR PRODUCT
Manager Assistance: zimbra-escalation@synacor.com
Inglebard
Posts: 28
Joined: Fri Jul 20, 2018 9:18 am

Re: 8.8.12 Patch 3 breaks inline signatures and creates multiple attachments

Post by Inglebard »

It is exactly the same patch I post on this thread 2 week ago.
Post Reply