8.8.12 Patch 3 breaks printing messages with inline images

[andrey.ivanov]

Workaround from Zimbra support :

Code: Select all

As a workaround please do the following on all mailbox servers
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart

It did help me. Unfortunately it means that their new owasp sanitizing framework is disabled (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3). But it fixes both attachments and printing problems, i. e. it fixes both cases :
"Case 00850083 Upgrade from 8.8.12_P2 to 8.8.12_P3 breaks printing inline images"
"Case 00849909 Infinite attachement since 8.8.12P3 in mail window"

It also fixed some broken html messages in web client.

It corresponds to the following commit in the git : https://github.com/Zimbra/zm-mailbox/co ... ae79c9272a

[vpascual]

Hello,
Same problem in Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.

[phoenix]

Hello,
Same problem in Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.

Did you not read the two solutions in the posts just prior to yours or are you saying you tried those and they didn't work?

[vpascual]

Hello,
Same problem in Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.

Did you not read the two solutions in the posts just prior to yours or are you saying you tried those and they didn't work?

Sorry, I dont read the two solutions in the post few minuts before my post, should have coincided when I was writing.

I have tried the indicated solution and it works perfectly, thank you very much

[phoenix]

I have tried the indicated solution and it works perfectly, thank you very much

That's good, I'm glad you've resolved it.

[rickaotc]

Unfortunately it means that their new owasp sanitizing framework is disabled

I'm told by support this doesn't even work, disabling it is actually a good thing.

[khalilquza]

when I apply the fix, the emojis goes again

[gulaschcowboy]

Hi guys,

isn't the OWASP sanitizer a security related feature? Is it a good idea to disable it?

I tried this setting and I can confirm, that it fixes 3 problems:

- broken HTML rendering
- duplicated attachments
- broken printing preview rendering

BTW:
Unfortunately the Zimbra support was not helpful at all in this case.
They made me execute 9 or 10 tests, as they thought we have been hacked seeing those 3 issues.
Only one test (grep ua=python-requests /opt/zimbra/log/access_log*) was positive (not really - only 404 responses), but the support told me: You have been hacked, reinstall your server.
Searching for this user-agent string on a internet facing webserver is the weakest indication possible...

So I'm under-satisfied* with the support quality

*hard to stay polite

[gulaschcowboy]

To answer my own question, this is the official answer from Zimbra support:

Yes, that is correct. That is official workaround for now until the issue is properly fixed.
That is a new feature, and the developers decided to set this to FALSE. If they suggested that, that means no affect will have on the production. For more information you can see:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P3
https://www.owasp.org/index.php/OWASP_J ... er_Project

I am suspecting the new fix will be included in the P4, which will be released on July 29th