about summary refs log tree commit homepage
path: root/t
diff options
context:
space:
mode:
authorEric Wong <e@yhbt.net>2020-02-15 09:46:39 +0000
committerEric Wong <e@yhbt.net>2020-02-16 00:06:48 +0000
commit1fee6f86d7ee78161cc48a00232654f13a14bb88 (patch)
tree4bc0018a153537cd3005bf87fb5fec7b6dde17d3 /t
parent4c4de0022f40e09c4db7665cc573a3cb94f753a3 (diff)
downloadpublic-inbox-1fee6f86d7ee78161cc48a00232654f13a14bb88.tar.gz
We need to escape ampersands (and some other characters for href
attributes), so introduce a `mid_href' sub to do just that.

'<', '>' and '"'  were always escaped, so there's no risk of tag
or attribute injection, but creative Message-IDs could cause
confusion for some parsers and generate invalid URLs.

Start getting rid of the bloated, over-engineered OO Hval API
while we're at it, I only noticed this bug because I started
killing off Hval->new* callers.
Diffstat (limited to 't')
-rw-r--r--t/psgi_bad_mids.t9
1 files changed, 7 insertions, 2 deletions
diff --git a/t/psgi_bad_mids.t b/t/psgi_bad_mids.t
index d86c90bc..43025a4d 100644
--- a/t/psgi_bad_mids.t
+++ b/t/psgi_bad_mids.t
@@ -28,6 +28,7 @@ $im->{parallel} = 0;
 my $msgs = <<'';
 F1V5OR6NMF.3M649JTLO9IXD@tux.localdomain/hehe1"'<foo
 F1V5NB0PTU.3U0DCVGAJ750Z@tux.localdomain"'<>/foo
+F1V5NB0PTU.3U0DCVGAJ750Z@tux&.ampersand
 F1V5MIHGCU.2ABINKW6WBE8N@tux.localdomain/raw
 F1V5LF9D9C.2QT5PGXZQ050E@tux.localdomain/t.atom
 F1V58X3CMU.2DCCVAKQZGADV@tux.localdomain/../../../../foo
@@ -70,9 +71,13 @@ test_psgi(sub { $www->call(@_) }, sub {
                 'got escaped links to all messages');
 
         @xmids = reverse @xmids;
+        my %uxs = ( gt => '>', lt => '<' );
         foreach my $i (0..$#xmids) {
-                $res = $cb->(GET("/bad-mids/$xmids[$i]/raw"));
-                is($res->code, 200, 'got 200 OK raw message');
+                my $uri = $xmids[$i];
+                $uri =~ s/&#([0-9]+);/sprintf("%c", $1)/sge;
+                $uri =~ s/&(lt|gt);/$uxs{$1}/sge;
+                $res = $cb->(GET("/bad-mids/$uri/raw"));
+                is($res->code, 200, 'got 200 OK raw message '.$uri);
                 like($res->content, qr/Message-ID: <\Q$mids[$i]\E>/s,
                         'retrieved correct message');
         }