You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2020/09/21 07:16:48 UTC
[Bug 7857] New:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
Bug ID: 7857
Summary: <a data-saferedirecturl="">
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Libraries
Assignee: dev@spamassassin.apache.org
Reporter: axb.lists@gmail.com
Target Milestone: Undefined
Please consider making SA aware of the data-saferedirecturl html tag for URI
lookups.
This is "hiding" phish,generic spam are a google redirect-
Sample of such case will follow
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #7 from John Hardin <jh...@impsec.org> ---
Modified: branches/3.4
Modified: branches/3.4/lib/Mail/SpamAssassin/HTML.pm
Added: branches/3.4/t/uri_saferedirect.t
Committed revision 1881912.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #8 from Kevin A. McGrail <km...@apache.org> ---
Thanks for the backport. How safe do you feel the change is?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #6 from AXB <ax...@gmail.com> ---
(In reply to John Hardin from comment #5)
> Do we want to backport this to 3.4?
if you can, that would be great,
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #9 from Kevin A. McGrail <km...@apache.org> ---
Nevermind, I see it now. A test and a 3 line patch +1 for 3.4
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #5 from John Hardin <jh...@impsec.org> ---
Do we want to backport this to 3.4?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #10 from John Hardin <jh...@impsec.org> ---
I just noticed an apparent error in the antipatterns in the test script that I
cloned:
185 invalid_ltd.foo !invalid_tld
186 invalid_ltd.bar !invalid_tld
187 invalid_ltd.xyzzy !invalid_tld
188 invalid_ltd.co.zz !invalid_tld
189
190 www.invalid_ltd.foo !invalid_tld
191 www.invalid_ltd.bar !invalid_tld
192 www.invalid_ltd.xyzzy !invalid_tld
193 www.invalid_ltd.co.zz !invalid_tld
Shouldn't the "_ltd" / "_tld" bit match to ensure the invalid TLD is not
captured as a URI?
Or are these essentially NOP'd out by mangling because SA is not doing
valid-TLD filtering? If so, should these be explicitly commented out instead of
being mangled so they pass? Like this antipattern:
222 #keyword:sportscar !sportscar
The SVN history shows it's been that way since the initial commit.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
AXB <ax...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Hardware|PC |All
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from John Hardin <jh...@impsec.org> ---
Modified: trunk/lib/Mail/SpamAssassin/HTML.pm
Added: trunk/t/uri_saferedirect.t
Committed revision 1881911.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #3 from John Hardin <jh...@impsec.org> ---
underway
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
AXB <ax...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |blocker
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
--- Comment #1 from AXB <ax...@gmail.com> ---
sample URI:
<a href="https://example.com/very/legit/url" target="_blank" rel="noreferrer"
data-saferedirecturl="https://www.google.com/url?q=https://example.org/very/evil/url&source=gmail&ust=123456789/*&usg=laksjdflasi">Update
user@example.com now</a>
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7857]
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@apache.org
Target Milestone|Undefined |4.0.0
--- Comment #2 from Kevin A. McGrail <km...@apache.org> ---
Good catch, AXB.
--
You are receiving this mail because:
You are the assignee for the bug.