EmailDiscussions.com - View Single Post - Attachments -- not being sent

brong · 20 Jul 2013, 08:15 AM

Gah! Somebody performed a key-exhaustion attack on the MsgUnqId that's used to link messages and attachments. The immediate middle-of-the-night fixup of increasing the keyspace for SendMessages fixed sending, but didn't fix adding attachments.

Altering the other database tables related to attachments fixed that issue - the underlying problem that attachments were silently not attached is a more significant bug. If something goes wrong the correct approach is to raise an error, not silently do half the job.

I've raised that as a P1 bug internally and CC'd basically everybody!

We have put in place additional limits to make sure nobody can jump an ID right to the top of the keyspace in future.

Bron.

20 Jul 2013, 08:15 AM	#8
brong The "e" in e-mail Join Date: Jul 2004 Location: Melbourne, Australia Posts: 2,696 Representative of: Fastmail.fm	Gah! Somebody performed a key-exhaustion attack on the MsgUnqId that's used to link messages and attachments. The immediate middle-of-the-night fixup of increasing the keyspace for SendMessages fixed sending, but didn't fix adding attachments. Altering the other database tables related to attachments fixed that issue - the underlying problem that attachments were silently not attached is a more significant bug. If something goes wrong the correct approach is to raise an error, not silently do half the job. I've raised that as a P1 bug internally and CC'd basically everybody! We have put in place additional limits to make sure nobody can jump an ID right to the top of the keyspace in future. Bron.