about summary refs log tree commit homepage
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2014-04-22 09:24:45 +0000
committerEric Wong <e@80x24.org>2014-04-22 09:32:47 +0000
commit48dc8ff5e67714985897047c189bdf019b796a60 (patch)
treeb0f196789c42969d28de8ed606c9478e9090bf0d
parent7a5c9dd00ed82ffb71cd5bec41aa1c615de12ada (diff)
downloadpublic-inbox-48dc8ff5e67714985897047c189bdf019b796a60.tar.gz
While we're at it, make sure strange characters are escaped properly
in Message-IDs.  We'll need tests for all this behavior.
-rw-r--r--Documentation/design_www.txt3
-rw-r--r--TODO1
-rw-r--r--lib/PublicInbox/Feed.pm15
-rwxr-xr-xpublic-inbox.cgi3
4 files changed, 14 insertions, 8 deletions
diff --git a/Documentation/design_www.txt b/Documentation/design_www.txt
index 226a22c9..50c97317 100644
--- a/Documentation/design_www.txt
+++ b/Documentation/design_www.txt
@@ -13,6 +13,9 @@ URL naming
 /$LISTNAME/f/$MESSAGE_ID                        -> 301 to .html version
 /$LISTNAME/f/$MESSAGE_ID.txt                    -> 301 to m/$MESSAGE_ID.txt
 
+FIXME: we must refactor/cleanup/add tests for most of our CGI before
+adding more endpoints and features.
+
 Maybe TODO (these might be expensive)
 -------------------------------------
 /$LISTNAME/t/$MESSAGE_ID.html                   -> HTML content of thread
diff --git a/TODO b/TODO
new file mode 100644
index 00000000..76020a7f
--- /dev/null
+++ b/TODO
@@ -0,0 +1 @@
+* header -> HTML/XML sanitization
diff --git a/lib/PublicInbox/Feed.pm b/lib/PublicInbox/Feed.pm
index 3fc3775b..93ee80bb 100644
--- a/lib/PublicInbox/Feed.pm
+++ b/lib/PublicInbox/Feed.pm
@@ -262,11 +262,13 @@ sub add_to_feed {
         my $midurl = $feed_opts->{midurl} || 'http://example.com/m/';
         my $fullurl = $feed_opts->{fullurl} || 'http://example.com/f/';
 
-        my $content = PublicInbox::View->as_feed_entry($mime, $fullurl);
-        defined($content) or return 0;
-
         my $mid = utf8_header($mime, "Message-ID") or return 0;
-        $mid =~ s/\A<//; $mid =~ s/>\z//;
+        # FIXME: refactor
+        my (undef, $href) = PublicInbox::View::trim_message_id($mid);
+
+        my $content = PublicInbox::View->as_feed_entry($mime,
+                                                        "$fullurl$href.html");
+        defined($content) or return 0;
 
         my $subject = utf8_header($mime, "Subject") || "";
         length($subject) or return 0;
@@ -279,7 +281,6 @@ sub add_to_feed {
         my $email = $from[0]->address;
         defined $email or $email = "";
 
-        my $url = $midurl . uri_escape($mid);
         my $date = utf8_header($mime, "Date");
         $date or return 0;
         $date = feed_date($date) or return 0;
@@ -288,7 +289,7 @@ sub add_to_feed {
                 title => $subject,
                 updated => $date,
                 content => { type => "html", content => $content },
-                link => $url,
+                link => $midurl . $href,
                 id => $add,
         );
         1;
@@ -303,7 +304,7 @@ sub dump_html_line {
                 my $mid = utf8_header($simple, "Message-ID");
                 $mid =~ s/\A<//;
                 $mid =~ s/>\z//;
-                my $url = $args->[1] . uri_escape($mid);
+                my $url = $args->[1] . xs_html(uri_escape($mid));
                 my $from = utf8_header($simple, "From");
                 my @from = Email::Address->parse($from);
                 $from = $from[0]->name;
diff --git a/public-inbox.cgi b/public-inbox.cgi
index 33313bf5..b9b484be 100755
--- a/public-inbox.cgi
+++ b/public-inbox.cgi
@@ -167,8 +167,9 @@ sub get_mid_html {
         my $x = mid2blob($ctx);
         return r404() unless $x;
 
-        my $pfx = "../f/" . uri_escape($ctx->{mid}) . ".html";
         require PublicInbox::View;
+        my $mid_href = PublicInbox::View::ascii_html(uri_escape($ctx->{mid}));
+        my $pfx = "../f/$mid_href.html";
         require Email::MIME;
         [ "200 OK", {'Content-Type' => 'text/html'},
                 PublicInbox::View->as_html(Email::MIME->new($$x), $pfx)];