* stable 1.6.1 release? [was: [PATCH] eml: fix undefined vars on <Perl 5.28]
@ 2020-12-26 20:35 5% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2020-12-26 20:35 UTC (permalink / raw)
To: Ali Alnubani, Konstantin Ryabitsev; +Cc: meta
Ali Alnubani <alialnu@nvidia.com> wrote:
> I no longer see the uninitialized value warnings or the test
> failure on Debian 9 with both patches applied on master. Do
> you plan on creating a new release tag soon with these fixes?
Thanks, pushed to master and I've started a stable-1.6 branch
to https://80x24.org/public-inbox.git with 29 commits
cherry-picked from master which I hope are suitable.
There's two more I'm tempted to cherry-pick, though they
introduce behavior changes:
fe01d7b117c8b1e1 import: drop X-Status in addition to Status
1bf653ad139bf7bb nntp+www: drop List-* and Archived-At headers
Konstantin: thoughts on 1bf653ad139bf7bb being suitable for 1.6.1?
Anyways, here's what I have so far:
fdbd73069af6eed9 eml: fix undefined vars on <Perl 5.28
e16e09b239b4d8bf t/config: test --get-urlmatch for git <2.26
933fce93167eba86 inboxidle: avoid needless syscalls on refresh
a0b470cbaf01c699 inboxidle: clue users into resolving ENOSPC from inotify
b782533a0413578d inbox: name variable for values loop iterator
4f1a683dc895a7bd public-inbox-v[12]-format.pod: make lexgrog happy
7a92c24157953dc6 manifest.js.gz: fix per-inbox /$INBOX/manifest.js.gz
78e81ae914ad24df Fix manpage section of perl module documentation
a4a1a74a2f60ec58 t/psgi_v2: ignore warnings on missing P::M::ReverseProxy
1cbb6243533fc2d4 daemon: support --daemonize without Net::Server::Daemonize
734daa9b165e248c doc: v2-format: drop repeated word
b63c27f36a44d8de over: ensure old, merged {tid} is really gone
c39ed01a3a4c6c46 wwwattach: prevent deep-linking via Referer match
0366c73f20b436d4 t/eml.t: workaround newer Email::MIME* behavior
bf14a3670da72358 nntp: attempt RFC 5536 3.1.5-conformant Path: headers
2fcf2b14a9ce3336 nntp: delimit Newsgroup: header with commas
31f9b61a318f4daf tls: epollbit: account for miscellaneous OpenSSL errors
5efbbd5e3e45ff3a scripts/dupe-finder: restore $dbh variable
59cc88bb5bc5ce3e searchidx: index lower-case List-Id value
4ccff6f9122da89c ds: add missing label for systems w/o EPOLLEXCLUSIVE
f9c3b3746445219b imap: avoid raising exception if client disconnects
e578a012532cd91f idxstack: fix comment about file_char
d94b6dd634381748 mda: match List-Id insensitively
c6ca576baf1700a8 mid: drop repeated ';' in mid_escape() regular expression
8e9d4f877730dbdf doc: post-1.6 updates, start 1.7
d6d442866106248e config: warn on multiple values for some fields
64f7ab3a571b9db0 doc: txt2pre: more manpage URLs
915e01b9cd771a84 doc: flow: include -imapd
dec02da946b6bb29 t/indexlevels-mirror: fix improperly skipped test
Thoughts?
Fwiw, I consider these two the most important and was
considering a 1.6.1 release even before the recent fixes:
7a92c24157953dc6 manifest.js.gz: fix per-inbox /$INBOX/manifest.js.gz
b63c27f36a44d8de over: ensure old, merged {tid} is really gone
^ permalink raw reply [relevance 5%]
* [PATCH v2] wwwattach: prevent deep-linking via Referer match
@ 2020-11-23 14:15 7% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2020-11-23 14:15 UTC (permalink / raw)
To: meta; +Cc: Leah Neukirchen
This prevents `<img src=' tags from being used to deep-link
image attachments from HTML outside of the current host and
reduces potential for abuse.
Some browsers (e.g. Firefox) favor content detection and will
display images irrespective of the Content-Type header being
"application/octet-stream", and "Content-Disposition: attachment"
doesn't stop them, either.
Tested with dillo and Firefox.
Reported-by: Leah Neukirchen <leah@vuxu.org>
---
Deployed on public-inbox.org (http://ou63pmih66umazou.onion/)
but not others.
lib/PublicInbox/WwwAttach.pm | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm
index 0b2cda90..09c66d02 100644
--- a/lib/PublicInbox/WwwAttach.pm
+++ b/lib/PublicInbox/WwwAttach.pm
@@ -9,6 +9,22 @@ use bytes (); # only for bytes::length
use PublicInbox::EmlContentFoo qw(parse_content_type);
use PublicInbox::Eml;
+sub referer_match ($) {
+ my ($ctx) = @_;
+ my $env = $ctx->{env};
+ my $referer = $env->{HTTP_REFERER} // '';
+ return 1 if $referer eq ''; # no referer is always OK for wget/curl
+
+ # prevent deep-linking from other domains on some browsers (Firefox)
+ # n.b.: $ctx->{-inbox}->base_url($env) with INBOX_URL won't work
+ # with dillo, we can only match "$url_scheme://$HTTP_HOST/" without
+ # path components
+ my $base_url = $env->{'psgi.url_scheme'} . '://' .
+ ($env->{HTTP_HOST} //
+ "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/';
+ index($referer, $base_url) == 0;
+}
+
sub get_attach_i { # ->each_part callback
my ($part, $depth, $idx) = @{$_[0]};
my $ctx = $_[1];
@@ -28,8 +44,14 @@ sub get_attach_i { # ->each_part callback
$ctx->{env});
$part = $ctx->zflush($part->body);
} else { # TODO: allow user to configure safe types
- $res->[1]->[1] = 'application/octet-stream';
- $part = $part->body;
+ if (referer_match($ctx)) {
+ $res->[1]->[1] = 'application/octet-stream';
+ $part = $part->body;
+ } else {
+ $res->[0] = 403;
+ $res->[1]->[1] = 'text/plain';
+ $part = "Deep-linking prevented\n";
+ }
}
push @{$res->[1]}, 'Content-Length', bytes::length($part);
$res->[2]->[0] = $part;
^ permalink raw reply related [relevance 7%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2020-11-07 19:10 MIME types for image attachments Leah Neukirchen
2020-11-07 20:39 ` Eric Wong
2020-11-08 0:05 ` Leah Neukirchen
2020-11-08 7:49 ` [PATCH] wwwattach: set "Content-Disposition: attachment" Eric Wong
2020-11-23 14:15 7% ` [PATCH v2] wwwattach: prevent deep-linking via Referer match Eric Wong
2020-12-26 11:27 [Debian 9][Perl 5.24] uninitialized value errors in Encode/MIME/Header.pm Ali Alnubani
2020-12-26 12:25 ` [PATCH] eml: fix undefined vars on <Perl 5.28 Eric Wong
2020-12-26 14:10 ` Ali Alnubani
2020-12-26 20:35 5% ` stable 1.6.1 release? [was: [PATCH] eml: fix undefined vars on <Perl 5.28] Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).