Opened 7 years ago

Closed 7 years ago

#1239 closed defect (fixed)

IMAP interface causes password "corruption" when no Bote password configured

Reported by: str4d Owned by: str4d
Priority: major Milestone: 0.9.12
Component: apps/plugins Version: 0.9.11
Keywords: i2pbote Cc:
Parent Tickets: Sensitive: no


The IMAP interface uses the Bote password for authentication. If Bote has no password configured, then any password string can be used in the mail client (e.g. Thunderbird), and it will authenticate.

However, after authenticating (by checking that the password file does not exist), Bote starts using whatever password string Thunderbird passes in as the real password. This includes encrypting files on-disk with it.

user (who reported this) found that after using Thunderbird with the IMAP and SMTP interfaces to send email, only the emails that were sent were displayed. Existing emails were never showed. Additionally, in the Bote web interface, existing emails disappeared, but the "cached password" icon appeared. The debug test for readable files found that the only files that could be decrypted were ones encrypted with the random string used in Thunderbird for IMAP auth; all other files (encrypted with the default password because the Bote password was empty) were unreadable. The Thunderbird-encrypted files were email files, and the identities file - the only parts that the IMAP interface interacts with.

Clearing the cached password in Bote web interface then caused folder.jsp to error (for :

Problems calling function 'ib:getNameAndShortDestination javax.el.ELException: Problems calling function 'ib:getOneLocalRecipient' Caused by: Can't decrypt using cached key.
  at i2p.bote.fileencryption.EncryptedInputStream.readInputStream(
  at i2p.bote.fileencryption.EncryptedInputStream.<init>(
  at i2p.bote.web.JSPHelper.getOneLocalRecipient(
  at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(
  at java.lang.reflect.Method.invoke(
  at org.apache.el.parser.AstFunction.getValue(
  ... 37 more

This looks like a bug in how the IMAP interface sets the password, or how Bote handles being passed a non-empty password when none is set (in the web interface, this case could never occur).


Change History (3)

comment:1 Changed 7 years ago by str4d

<user> TB opened, and inbox loads from webui again

This clearly implies a Bote password-setting problem.

comment:2 Changed 7 years ago by str4d

Milestone: 0.9.12
Owner: set to str4d
Status: newaccepted

comment:3 Changed 7 years ago by str4d

Resolution: fixed
Status: acceptedclosed

Fixed in fe1c9965409f6b30acfb2160f3c3962659f683f7

Note: See TracTickets for help on using tickets.