unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
From: Eric Wong <e@80x24.org>
To: Leah Neukirchen <leah@vuxu.org>
Cc: meta@public-inbox.org
Subject: [PATCH] additional tests for bad Message-IDs in URLs
Date: Tue, 26 Jun 2018 07:46:58 +0000	[thread overview]
Message-ID: <20180626074658.kg7on7fjwvxn5h3s@dcvr> (raw)
In-Reply-To: <20180613224356.jz7abxkyg4i3tlf5@dcvr>

Followup-to: 73cfed86d8a8287a
   ("www: use undecoded paths for Message-ID extraction")

Reported-by: Leah Neukirchen <leah@vuxu.org>
  https://public-inbox.org/meta/8736xsb5s5.fsf@vuxu.org/
---
 Oops, forgot this earlier :x

 MANIFEST          |  1 +
 t/psgi_bad_mids.t | 85 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)
 create mode 100644 t/psgi_bad_mids.t

diff --git a/MANIFEST b/MANIFEST
index 08a8ef4..68c79c9 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -182,6 +182,7 @@ t/perf-threading.t
 t/plack.t
 t/precheck.t
 t/psgi_attach.t
+t/psgi_bad_mids.t
 t/psgi_mount.t
 t/psgi_search.t
 t/psgi_text.t
diff --git a/t/psgi_bad_mids.t b/t/psgi_bad_mids.t
new file mode 100644
index 0000000..5008f5b
--- /dev/null
+++ b/t/psgi_bad_mids.t
@@ -0,0 +1,85 @@
+# Copyright (C) 2018 all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use strict;
+use warnings;
+use Test::More;
+use File::Temp qw/tempdir/;
+use PublicInbox::MIME;
+use PublicInbox::Config;
+use PublicInbox::WWW;
+my @mods = qw(DBD::SQLite Search::Xapian HTTP::Request::Common Plack::Test
+		URI::Escape Plack::Builder);
+foreach my $mod (@mods) {
+	eval "require $mod";
+	plan skip_all => "$mod missing for psgi_bad_mids.t" if $@;
+}
+use_ok($_) for @mods;
+use_ok 'PublicInbox::V2Writable';
+my $mainrepo = tempdir('pi-bad-mids-XXXXXX', TMPDIR => 1, CLEANUP => 1);
+my $cfgpfx = "publicinbox.bad-mids";
+my $ibx = {
+	mainrepo => $mainrepo,
+	name => 'bad-mids',
+	version => 2,
+	-primary_address => 'test@example.com',
+};
+$ibx = PublicInbox::Inbox->new($ibx);
+my $im = PublicInbox::V2Writable->new($ibx, 1);
+$im->{parallel} = 0;
+
+my $msgs = <<'';
+F1V5OR6NMF.3M649JTLO9IXD@tux.localdomain/hehe1"'<foo
+F1V5NB0PTU.3U0DCVGAJ750Z@tux.localdomain"'<>/foo
+F1V5MIHGCU.2ABINKW6WBE8N@tux.localdomain/raw
+F1V5LF9D9C.2QT5PGXZQ050E@tux.localdomain/t.atom
+F1V58X3CMU.2DCCVAKQZGADV@tux.localdomain/../../../../foo
+F1TVKINT3G.2S6I36MXMHYG6@tux.localdomain" onclick="alert(1)"
+
+my @mids = split(/\n/, $msgs);
+my $i = 0;
+foreach my $mid (@mids) {
+	my $data = << "";
+Subject: test
+Message-ID: <$mid>
+From: a\@example.com
+To: b\@example.com
+Date: Fri, 02 Oct 1993 00:00:0$i +0000
+
+
+	my $mime = PublicInbox::MIME->new(\$data);
+	ok($im->add($mime), "added $mid");
+	$i++
+}
+$im->done;
+
+my $cfg = {
+	"$cfgpfx.address" => $ibx->{-primary_address},
+	"$cfgpfx.mainrepo" => $mainrepo,
+};
+my $config = PublicInbox::Config->new($cfg);
+my $www = PublicInbox::WWW->new($config);
+test_psgi(sub { $www->call(@_) }, sub {
+	my ($cb) = @_;
+	my $res = $cb->(GET('/bad-mids/'));
+	is($res->code, 200, 'got 200 OK listing');
+	my $raw = $res->content;
+	foreach my $mid (@mids) {
+		ok(index($raw, $mid) < 0, "escaped $mid");
+	}
+
+	my (@xmids) = ($raw =~ m!\bhref="([^"]+)/t\.mbox\.gz"!sg);
+	is(scalar(@xmids), scalar(@mids),
+		'got escaped links to all messages');
+
+	@xmids = reverse @xmids;
+	foreach my $i (0..$#xmids) {
+		$res = $cb->(GET("/bad-mids/$xmids[$i]/raw"));
+		is($res->code, 200, 'got 200 OK raw message');
+		like($res->content, qr/Message-ID: <\Q$mids[$i]\E>/s,
+			'retrieved correct message');
+	}
+});
+
+done_testing();
+
+1;
-- 
EW

  reply	other threads:[~2018-06-26  7:46 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-09 17:06 Some points on public-inbox Leah Neukirchen
2018-06-12 10:09 ` Eric Wong
2018-06-12 11:31   ` Leah Neukirchen
2018-06-13  2:07     ` [PATCH] Makefile.PL: do not depend on git Eric Wong
2018-06-13 14:26       ` Leah Neukirchen
2018-06-13 21:04         ` Eric Wong
2018-06-13 21:20           ` Leah Neukirchen
2018-06-13 21:40     ` Some points on public-inbox Eric Wong
2018-06-13 22:43       ` [PATCH] www: use undecoded paths for Message-ID extraction Eric Wong
2018-06-26  7:46         ` Eric Wong [this message]
2018-06-12 13:19   ` Some points on public-inbox Leah Neukirchen
2019-01-05  8:39     ` Eric Wong
2018-06-12 17:05   ` Konstantin Ryabitsev
2018-06-13  1:57     ` Eric Wong
2019-04-18  8:25   ` [RFC] www: support listing of inboxes Eric Wong
2019-05-05 23:36     ` Eric Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180626074658.kg7on7fjwvxn5h3s@dcvr \
    --to=e@80x24.org \
    --cc=leah@vuxu.org \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).