From 1fee6f86d7ee78161cc48a00232654f13a14bb88 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 15 Feb 2020 09:46:39 +0000 Subject: view: escape ampersand in Message-IDs We need to escape ampersands (and some other characters for href attributes), so introduce a `mid_href' sub to do just that. '<', '>' and '"' were always escaped, so there's no risk of tag or attribute injection, but creative Message-IDs could cause confusion for some parsers and generate invalid URLs. Start getting rid of the bloated, over-engineered OO Hval API while we're at it, I only noticed this bug because I started killing off Hval->new* callers. --- t/psgi_bad_mids.t | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 't') diff --git a/t/psgi_bad_mids.t b/t/psgi_bad_mids.t index d86c90bc..43025a4d 100644 --- a/t/psgi_bad_mids.t +++ b/t/psgi_bad_mids.t @@ -28,6 +28,7 @@ $im->{parallel} = 0; my $msgs = <<''; F1V5OR6NMF.3M649JTLO9IXD@tux.localdomain/hehe1"'/foo +F1V5NB0PTU.3U0DCVGAJ750Z@tux&.ampersand F1V5MIHGCU.2ABINKW6WBE8N@tux.localdomain/raw F1V5LF9D9C.2QT5PGXZQ050E@tux.localdomain/t.atom F1V58X3CMU.2DCCVAKQZGADV@tux.localdomain/../../../../foo @@ -70,9 +71,13 @@ test_psgi(sub { $www->call(@_) }, sub { 'got escaped links to all messages'); @xmids = reverse @xmids; + my %uxs = ( gt => '>', lt => '<' ); foreach my $i (0..$#xmids) { - $res = $cb->(GET("/bad-mids/$xmids[$i]/raw")); - is($res->code, 200, 'got 200 OK raw message'); + my $uri = $xmids[$i]; + $uri =~ s/&#([0-9]+);/sprintf("%c", $1)/sge; + $uri =~ s/&(lt|gt);/$uxs{$1}/sge; + $res = $cb->(GET("/bad-mids/$uri/raw")); + is($res->code, 200, 'got 200 OK raw message '.$uri); like($res->content, qr/Message-ID: <\Q$mids[$i]\E>/s, 'retrieved correct message'); } -- cgit v1.2.3-24-ge0c7