You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by si...@apache.org on 2023/01/08 21:19:13 UTC
svn commit: r1906472 - in /spamassassin/trunk: lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm t/data/spam/decodeshorturl/doubleslash.eml t/decodeshorturl.t

Author: sidney
Date: Sun Jan  8 21:19:13 2023
New Revision: 1906472

URL: http://svn.apache.org/viewvc?rev=1906472&view=rev
Log:
Bug 8101 - Fix handling of malformed URLs that are resolved by server using redirect to relative URI

Added:
    spamassassin/trunk/t/data/spam/decodeshorturl/doubleslash.eml
Modified:
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm
    spamassassin/trunk/t/decodeshorturl.t

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm?rev=1906472&r1=1906471&r2=1906472&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/DecodeShortURLs.pm Sun Jan  8 21:19:13 2023
@@ -850,21 +850,19 @@ sub recursive_lookup {
   # redirect back to the same host as chaining incorrectly.
   $pms->{short_url_chained} = 1 if $count;
 
-  # Check if we are being redirected to a local page
-  # Don't recurse in this case...
+  # Check if it is a redirection to a relative URI
+  # Make it an absolute URI and chain to it in that case
   if ($location !~ m{^[a-z]+://}i) {
     my $orig_location = $location;
     my $orig_short_url = $short_url;
     # Strip to..
     if (index($location, '/') == 0) {
-      $short_url =~ s{^([a-z]+://.*?)[/?#].*}{$1}; # ..absolute path
+      $short_url =~ s{^([a-z]+://.*?)[/?#].*}{$1}; # ..absolute path base is http://example.com
     } else {
-      $short_url =~ s{^([a-z]+://.*)/}{$1}; # ..relative path
+      $short_url =~ s{^([a-z]+://.*/)}{$1}; # ..relative path base is http://example.com/a/b/
     }
-    $location = "$short_url/$location";
-    dbg("looks like a local redirection: $orig_short_url => $location ($orig_location)");
-    $pms->add_uri_detail_list($location) if !$pms->{uri_detail_list}->{$location};
-    return;
+    $location = "$short_url$location";
+    dbg("looks like a redirection to a relative URI: $orig_short_url => $location ($orig_location)");
   }
 
   if (exists $been_here{$location}) {

Added: spamassassin/trunk/t/data/spam/decodeshorturl/doubleslash.eml
URL: http://svn.apache.org/viewvc/spamassassin/trunk/t/data/spam/decodeshorturl/doubleslash.eml?rev=1906472&view=auto
==============================================================================
--- spamassassin/trunk/t/data/spam/decodeshorturl/doubleslash.eml (added)
+++ spamassassin/trunk/t/data/spam/decodeshorturl/doubleslash.eml Sun Jan  8 21:19:13 2023
@@ -0,0 +1,51 @@
+To: Entity <en...@example.com>
+From: Example <ex...@example.com>
+Subject: This is a test email for a shortened URL
+Message-ID: <ea...@example.com>
+Date: Tue, 10 Nov 2020 13:33:08 -0500
+
+Greetings,
+
+http://bit.ly//3qDCt8z
+
+which should link to:
+
+https://tinyurl.com/jf8wv76t
+
+which should conclude at:
+
+https://spamassassin.apache.org/
+To: Entity <en...@example.com>
+From: Example <ex...@example.com>
+Subject: This is a test email for a shortened URL
+Message-ID: <ea...@example.com>
+Date: Tue, 10 Nov 2020 13:33:08 -0500
+
+Greetings,
+
+http://bit.ly//3qDCt8z
+
+which should link to:
+
+https://tinyurl.com/jf8wv76t
+
+which should conclude at:
+
+https://spamassassin.apache.org/
+To: Entity <en...@example.com>
+From: Example <ex...@example.com>
+Subject: This is a test email for a shortened URL
+Message-ID: <ea...@example.com>
+Date: Tue, 10 Nov 2020 13:33:08 -0500
+
+Greetings,
+
+http://bit.ly//3qDCt8z
+
+which should link to:
+
+https://tinyurl.com/jf8wv76t
+
+which should conclude at:
+
+https://spamassassin.apache.org/

Modified: spamassassin/trunk/t/decodeshorturl.t
URL: http://svn.apache.org/viewvc/spamassassin/trunk/t/decodeshorturl.t?rev=1906472&r1=1906471&r2=1906472&view=diff
==============================================================================
--- spamassassin/trunk/t/decodeshorturl.t (original)
+++ spamassassin/trunk/t/decodeshorturl.t Sun Jan  8 21:19:13 2023
@@ -11,7 +11,7 @@ use constant HAS_DBD_SQLITE => eval { re
 use constant SQLITE => (HAS_DBI && HAS_DBD_SQLITE);
 
 plan skip_all => "Net tests disabled"                unless conf_bool('run_net_tests');
-my $tests = 8;
+my $tests = 9;
 $tests += 4 if (SQLITE);
 plan tests => $tests;
 
@@ -58,6 +58,9 @@ ok_all_patterns();
 sarun ("-t < data/spam/decodeshorturl/chain.eml", \&patterns_run_cb);
 ok_all_patterns();
 
+sarun ("-t < data/spam/decodeshorturl/doubleslash.eml", \&patterns_run_cb);
+ok_all_patterns();
+
 
 ###
 ### short_url() should hit even without network enabled