From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.9 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 3C42A1F516; Tue, 26 Jun 2018 07:46:58 +0000 (UTC) Date: Tue, 26 Jun 2018 07:46:58 +0000 From: Eric Wong To: Leah Neukirchen Cc: meta@public-inbox.org Subject: [PATCH] additional tests for bad Message-IDs in URLs Message-ID: <20180626074658.kg7on7fjwvxn5h3s@dcvr> References: <871sdfzy80.fsf@gmail.com> <20180612100915.shfo3ltn6aj55mrf@dcvr> <8736xsb5s5.fsf@vuxu.org> <20180613214055.2nudcx5e7w2y4q73@dcvr> <20180613224356.jz7abxkyg4i3tlf5@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180613224356.jz7abxkyg4i3tlf5@dcvr> List-Id: Followup-to: 73cfed86d8a8287a ("www: use undecoded paths for Message-ID extraction") Reported-by: Leah Neukirchen https://public-inbox.org/meta/8736xsb5s5.fsf@vuxu.org/ --- Oops, forgot this earlier :x MANIFEST | 1 + t/psgi_bad_mids.t | 85 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 t/psgi_bad_mids.t diff --git a/MANIFEST b/MANIFEST index 08a8ef4..68c79c9 100644 --- a/MANIFEST +++ b/MANIFEST @@ -182,6 +182,7 @@ t/perf-threading.t t/plack.t t/precheck.t t/psgi_attach.t +t/psgi_bad_mids.t t/psgi_mount.t t/psgi_search.t t/psgi_text.t diff --git a/t/psgi_bad_mids.t b/t/psgi_bad_mids.t new file mode 100644 index 0000000..5008f5b --- /dev/null +++ b/t/psgi_bad_mids.t @@ -0,0 +1,85 @@ +# Copyright (C) 2018 all contributors +# License: AGPL-3.0+ +use strict; +use warnings; +use Test::More; +use File::Temp qw/tempdir/; +use PublicInbox::MIME; +use PublicInbox::Config; +use PublicInbox::WWW; +my @mods = qw(DBD::SQLite Search::Xapian HTTP::Request::Common Plack::Test + URI::Escape Plack::Builder); +foreach my $mod (@mods) { + eval "require $mod"; + plan skip_all => "$mod missing for psgi_bad_mids.t" if $@; +} +use_ok($_) for @mods; +use_ok 'PublicInbox::V2Writable'; +my $mainrepo = tempdir('pi-bad-mids-XXXXXX', TMPDIR => 1, CLEANUP => 1); +my $cfgpfx = "publicinbox.bad-mids"; +my $ibx = { + mainrepo => $mainrepo, + name => 'bad-mids', + version => 2, + -primary_address => 'test@example.com', +}; +$ibx = PublicInbox::Inbox->new($ibx); +my $im = PublicInbox::V2Writable->new($ibx, 1); +$im->{parallel} = 0; + +my $msgs = <<''; +F1V5OR6NMF.3M649JTLO9IXD@tux.localdomain/hehe1"'/foo +F1V5MIHGCU.2ABINKW6WBE8N@tux.localdomain/raw +F1V5LF9D9C.2QT5PGXZQ050E@tux.localdomain/t.atom +F1V58X3CMU.2DCCVAKQZGADV@tux.localdomain/../../../../foo +F1TVKINT3G.2S6I36MXMHYG6@tux.localdomain" onclick="alert(1)" + +my @mids = split(/\n/, $msgs); +my $i = 0; +foreach my $mid (@mids) { + my $data = << ""; +Subject: test +Message-ID: <$mid> +From: a\@example.com +To: b\@example.com +Date: Fri, 02 Oct 1993 00:00:0$i +0000 + + + my $mime = PublicInbox::MIME->new(\$data); + ok($im->add($mime), "added $mid"); + $i++ +} +$im->done; + +my $cfg = { + "$cfgpfx.address" => $ibx->{-primary_address}, + "$cfgpfx.mainrepo" => $mainrepo, +}; +my $config = PublicInbox::Config->new($cfg); +my $www = PublicInbox::WWW->new($config); +test_psgi(sub { $www->call(@_) }, sub { + my ($cb) = @_; + my $res = $cb->(GET('/bad-mids/')); + is($res->code, 200, 'got 200 OK listing'); + my $raw = $res->content; + foreach my $mid (@mids) { + ok(index($raw, $mid) < 0, "escaped $mid"); + } + + my (@xmids) = ($raw =~ m!\bhref="([^"]+)/t\.mbox\.gz"!sg); + is(scalar(@xmids), scalar(@mids), + 'got escaped links to all messages'); + + @xmids = reverse @xmids; + foreach my $i (0..$#xmids) { + $res = $cb->(GET("/bad-mids/$xmids[$i]/raw")); + is($res->code, 200, 'got 200 OK raw message'); + like($res->content, qr/Message-ID: <\Q$mids[$i]\E>/s, + 'retrieved correct message'); + } +}); + +done_testing(); + +1; -- EW