diff options
author | Eric Wong <e@yhbt.net> | 2020-02-15 09:46:39 +0000 |
---|---|---|
committer | Eric Wong <e@yhbt.net> | 2020-02-16 00:06:48 +0000 |
commit | 1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch) | |
tree | 4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /t | |
parent | 4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff) | |
download | public-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz |
We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers.
Diffstat (limited to 't')
-rw-r--r-- | t/psgi_bad_mids.t | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/t/psgi_bad_mids.t b/t/psgi_bad_mids.t index d86c90bc..43025a4d 100644 --- a/t/psgi_bad_mids.t +++ b/t/psgi_bad_mids.t @@ -28,6 +28,7 @@ $im->{parallel} = 0; my $msgs = <<''; F1V5OR6NMF.3M649JTLO9IXD@tux.localdomain/hehe1"'<foo F1V5NB0PTU.3U0DCVGAJ750Z@tux.localdomain"'<>/foo +F1V5NB0PTU.3U0DCVGAJ750Z@tux&.ampersand F1V5MIHGCU.2ABINKW6WBE8N@tux.localdomain/raw F1V5LF9D9C.2QT5PGXZQ050E@tux.localdomain/t.atom F1V58X3CMU.2DCCVAKQZGADV@tux.localdomain/../../../../foo @@ -70,9 +71,13 @@ test_psgi(sub { $www->call(@_) }, sub { 'got escaped links to all messages'); @xmids = reverse @xmids; + my %uxs = ( gt => '>', lt => '<' ); foreach my $i (0..$#xmids) { - $res = $cb->(GET("/bad-mids/$xmids[$i]/raw")); - is($res->code, 200, 'got 200 OK raw message'); + my $uri = $xmids[$i]; + $uri =~ s/&#([0-9]+);/sprintf("%c", $1)/sge; + $uri =~ s/&(lt|gt);/$uxs{$1}/sge; + $res = $cb->(GET("/bad-mids/$uri/raw")); + is($res->code, 200, 'got 200 OK raw message '.$uri); like($res->content, qr/Message-ID: <\Q$mids[$i]\E>/s, 'retrieved correct message'); } |