From fcf9cd6dc8b35a0f386d39a0823b693855cd8715 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 15 Mar 2022 20:45:02 +0000
Subject: www: loosen deep-linking prevention

Apparently some browsers can set a Referer: header which fails
to match.  I'm not certain why, but making "$schema://$HOST_PORT"
matches case-insensitive seems more correct regardless.

In case that doesn't work, we'll also allow bypassing deep-link
prevention via a POST form button.

Reported-by: Vlastimil Babka <vbabka@suse.cz>
Link: https://public-inbox.org/meta/93ebfbd1-9924-481c-4edc-9b232d1e995c@suse.cz/
---
 lib/PublicInbox/WWW.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib/PublicInbox/WWW.pm')

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index a282784a..755d7558 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -1,4 +1,4 @@
-# Copyright (C) 2014-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 #
 # Main web interface for mailing list archives
@@ -64,6 +64,10 @@ sub call {
 				serve_git($ctx, $epoch, $path);
 		} elsif ($path_info =~ m!$INBOX_RE/(\w+)\.sql\.gz\z!o) {
 			return get_altid_dump($ctx, $1, $2);
+		} elsif ($path_info =~ m!$INBOX_RE/$MID_RE/$ATTACH_RE\z!o) {
+			my ($idx, $fn) = ($3, $4);
+			return invalid_inbox_mid($ctx, $1, $2) ||
+				get_attach($ctx, $idx, $fn);
 		} elsif ($path_info =~ m!$INBOX_RE/!o) {
 			return invalid_inbox($ctx, $1) || mbox_results($ctx);
 		}
-- 
cgit v1.2.3-24-ge0c7