You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2023/01/13 15:01:53 UTC

[Bug 8105] New: DecodeShortURLs fails to follow redirect chains with differing query parameters

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8105

            Bug ID: 8105
           Summary: DecodeShortURLs fails to follow redirect chains with
                    differing query parameters
           Product: Spamassassin
           Version: 4.0.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: dilldall@bjork.org
  Target Milestone: Undefined

When DecodeShortURLs encounters a returned location header where only[1] the
query parameters differ, it appears it will not follow it, even if the
source/target domain is defined as a url_shortener. I'm guessing it's doing
some comparing to prevent an infinite loop, but stripping away things like
query string first. Sometimes a good idea, other times not.

Consider this example, pulled from a spam message:

https://rb.gy/qcigz2

As of writing, this returns a location header of:

http://rb.gy/qcigz2?rb.routing.mode=proxy&rb.routing.signature=974538

Same URL, different protocol[1], different (added) query parameters.

If it were to follow this redirect, it would get this location header back:

https://rebrandly.info/stop

Which, in turn, could be used in URL_SHORTENER_DISABLED[2].


[1] I say only even though in this example the protocol also differs. If *only*
the protocol differs, however, it does seem to follow the chain.
Consider this:

http://www.shorturl.at/BLOY9

Which redirects to https before redirecting to target. Assuming www.shorturl.at
is defined as a url_shortener[3], it *will* follow the redirect chain to the
same URL with https[4], and then further.

[2] I guess this is another suggestion for improvement, which could be added,
but I don't wanna file individual reports for all these tiny things.

[3] Which it should be, because even though the shorturl.at service provides
shortened URLs as shorturl.at - which is in the list - it first redirects every
URL to www.shorturl.at (and https) - which isn't. But that's (also?) a
different bug, and I'm already working on a larger list update, pulled from
numerous sources.

[4] Incidentally, this will also trigger short_url_chained (and in turn an
assigned score), which perhaps it shouldn't when redirecting to the same (base)
domain. Might be worthy of another report, I suppose.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 8105] DecodeShortURLs fails to follow redirect chains with differing query parameters

Posted by bu...@spamassassin.apache.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8105

Christer Mjellem Strand <di...@bjork.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dilldall@bjork.org

--- Comment #1 from Christer Mjellem Strand <di...@bjork.org> ---
I'm not sure I can reproduce the original issue in this report anymore - it may
have been related to caching, or something else. I've seen occurrences of it
working in logs since reporting.

I'll leave the report however open, however, as it includes various other minor
tidbits which may be worth addressing.

-- 
You are receiving this mail because:
You are the assignee for the bug.