Blank mail body after updating from 8.8.15 p29 to p30

Ask questions about your setup or get help installing ZCS server (ZD section below).
bano
Posts: 1
Joined: Thu Mar 17, 2022 5:55 pm

Blank mail body after updating from 8.8.15 p29 to p30

Post by bano »

Hi everyone,
yesterday we upgraded a medium-sized Zimbra 8.8.15 installation from patch 29 to the latest available (8.8.15.1643980846.p30-1).
This morning we got several complaints about mails that were correctly rendered before the updated, but are now displayed with a blank body.
I already saw some topics (dating from several months ago) about similar issues, and pointing to owasp; issue is that the content was correctly displayed with patch 29.

From the evidence I got, issue seems that owasp throws an exception when there's an html comment opening inside the body of the mail. Every time someone tries to display one of such mails, an entry similar to the following is logged in mailbox.log:

2022-03-17 15:44:44,010 WARN [qtp1684792003-70964:https://my.domain.com/service/soap/GetMsgRequest] [name=username@domain.com;mid=285;oip=::ffff:11.22.33.44;ua=ZimbraWebClient - FF98 (Linux)/8.8.15_GA_4232;soapId=18d00465;] soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : <!--

And yes, the body of the mail indeed contains at least one html comment opening ("<!--"), indeed.

Anyone has seen such an issue, expecially after a recent update? Or maybe found any workaround (beside disabling the html sanitization)?

Thanks in advance.
Kind regards,
Gabriele
M_vdM
Posts: 4
Joined: Fri Mar 18, 2022 2:02 pm

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by M_vdM »

Hi,

We have the same issue after that update.

What i found was that it looks like it is caused by the following code from the source of the emails:

Code: Select all

@media only screen and (max-width: 550px), screen and (max-device-width: =
550px) {
  body[yahoo] .hide {display: none!important;}
  body[yahoo] .buttonwrapper {background-color: transparent!important;}
  body[yahoo] .button {padding: 0px!important;}
  body[yahoo] .button a {background-color: #e05443; padding: 15px 15px 13px=
!important;}
  body[yahoo] .unsubscribe {display: block; margin-top: 20px; padding: 10px=
 50px; background: #2f3942; border-radius: 5px; text-decoration: none!impor=
tant; font-weight: bold;}
  }

  /*@media only screen and (min-device-width: 601px) {
    .content {width: 600px !important;}
    .col425 {width: 425px!important;}
    .col380 {width: 380px!important;}
    }*/
 
When i remove that part from the e-mail and open it again the e-mail shows up as normal, but no real solution yet for it because these e-mails are sent by a 3rd party.

Kind regards,

M_vdM
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by ghen »

Can you share an e-mail message with this problem?
M_vdM
Posts: 4
Joined: Fri Mar 18, 2022 2:02 pm

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by M_vdM »

I can only share the part in my previous post. The rest of the e-mail contains company information, and after censoring it there will probably not much left of the original e-mail anymore.

Kind regards,

M_vdM
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by L. Mark Stone »

We are experiencing this as well and have opened a Support Case with Zimbra to get this addressed. We are on Patch 30 FWIW.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Inglebard
Posts: 28
Joined: Fri Jul 20, 2018 9:18 am

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by Inglebard »

Hi,

Similar issue.

I am on 8.8.15 p31.

Here is the error:
soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : -->

I don't know when it began.

Do you have a workaround ?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by L. Mark Stone »

Inglebard wrote:Hi,

Similar issue.

I am on 8.8.15 p31.

Here is the error:
soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : -->

I don't know when it began.

Do you have a workaround ?
There is no workaround yet.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Inglebard
Posts: 28
Joined: Fri Jul 20, 2018 9:18 am

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by Inglebard »

Someone try to disable owasp ?

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by L. Mark Stone »

In response to the case I opened, Zimbra Support have opened a bug to address this issue: ZBUG-2744.

If you are a Network Edition customer for whom addressing this bug is a priority (e.g. impacts a large number of users and/or renders important emails like payroll deposit notifications unreadable), you can open your own Support Case to ask that this bug be addressed as a priority.

When you open the case, I'd suggest including log file snippets showing the error, and also include the ASCII versions of the bodies of the impacted emails, to empower the developers to update the OWASP sanitizer to include as many of these situations as practicable.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Blank mail body after updating from 8.8.15 p29 to p30

Post by L. Mark Stone »

Inglebard wrote:Someone try to disable owasp ?

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
Turning this off means losing this otherwise excellent defense against cross site scripting attacks.

At least in the cases our users reported, the emails render OK on their mobile devices, so there is already a kind of workaround.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply