From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00, T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 5F8F71F8C4; Tue, 15 Mar 2022 20:45:02 +0000 (UTC) Date: Tue, 15 Mar 2022 20:45:02 +0000 From: Eric Wong To: Vlastimil Babka Cc: meta@public-inbox.org, Konstantin Ryabitsev Subject: [PATCH] www: loosen deep-linking prevention Message-ID: <20220315204502.GA2275@dcvr> References: <93ebfbd1-9924-481c-4edc-9b232d1e995c@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <93ebfbd1-9924-481c-4edc-9b232d1e995c@suse.cz> List-Id: Vlastimil Babka wrote: > Hi, > > When opening: > https://lore.kernel.org/all/20220309021531.GA22223@xsang-OptiPlex-9020/ > > And clicking at [-- Attachment #4: dmesg.xz --] > Which links to > https://lore.kernel.org/all/20220309021531.GA22223@xsang-OptiPlex-9020/4-dmesg.xz > > I get with a high probability a "Deep-linking prevented" response instead of > the attachment. In Firefox and Chrome. Sometimes it does succeed and > provides the attachment. When opening the attachment URL directly so that > there's no Referer, it succeeds reliably. Other people confirmed this too. > Reporting here per Konstantin's advise. Not sure exactly why this is on the browser side, but I think the patch below fixes it. I've deployed to , and tested going through via lynx and dillo (w3m doesn't send Referer in this case) ------------8<--------- Subject: [PATCH] www: loosen deep-linking prevention Apparently some browsers can set a Referer: header which fails to match. I'm not certain why, but making "$schema://$HOST_PORT" matches case-insensitive seems more correct regardless. In case that doesn't work, we'll also allow bypassing deep-link prevention via a POST form button. Reported-by: Vlastimil Babka Link: https://public-inbox.org/meta/93ebfbd1-9924-481c-4edc-9b232d1e995c@suse.cz/ --- lib/PublicInbox/WWW.pm | 6 +++++- lib/PublicInbox/WwwAttach.pm | 18 ++++++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm index a282784a..755d7558 100644 --- a/lib/PublicInbox/WWW.pm +++ b/lib/PublicInbox/WWW.pm @@ -1,4 +1,4 @@ -# Copyright (C) 2014-2021 all contributors +# Copyright (C) all contributors # License: AGPL-3.0+ # # Main web interface for mailing list archives @@ -64,6 +64,10 @@ sub call { serve_git($ctx, $epoch, $path); } elsif ($path_info =~ m!$INBOX_RE/(\w+)\.sql\.gz\z!o) { return get_altid_dump($ctx, $1, $2); + } elsif ($path_info =~ m!$INBOX_RE/$MID_RE/$ATTACH_RE\z!o) { + my ($idx, $fn) = ($3, $4); + return invalid_inbox_mid($ctx, $1, $2) || + get_attach($ctx, $idx, $fn); } elsif ($path_info =~ m!$INBOX_RE/!o) { return invalid_inbox($ctx, $1) || mbox_results($ctx); } diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm index c17394af..87844bf3 100644 --- a/lib/PublicInbox/WwwAttach.pm +++ b/lib/PublicInbox/WwwAttach.pm @@ -1,4 +1,4 @@ -# Copyright (C) 2016-2021 all contributors +# Copyright (C) all contributors # License: AGPL-3.0+ # For retrieving attachments from messages in the WWW interface @@ -11,16 +11,17 @@ use PublicInbox::Eml; sub referer_match ($) { my ($ctx) = @_; my $env = $ctx->{env}; - my $referer = $env->{HTTP_REFERER} // ''; + return 1 if $env->{REQUEST_METHOD} eq 'POST'; + my $referer = lc($env->{HTTP_REFERER} // ''); return 1 if $referer eq ''; # no referer is always OK for wget/curl # prevent deep-linking from other domains on some browsers (Firefox) # n.b.: $ctx->{ibx}->base_url($env) with INBOX_URL won't work # with dillo, we can only match "$url_scheme://$HTTP_HOST/" without # path components - my $base_url = $env->{'psgi.url_scheme'} . '://' . + my $base_url = lc($env->{'psgi.url_scheme'} . '://' . ($env->{HTTP_HOST} // - "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/'; + "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/'); index($referer, $base_url) == 0; } @@ -46,8 +47,13 @@ sub get_attach_i { # ->each_part callback $part = $part->body; } else { $res->[0] = 403; - $res->[1]->[1] = 'text/plain'; - $part = "Deep-linking prevented\n"; + $res->[1]->[1] = 'text/html'; + $part = <<""; +download +attachment
Deep-linking prevented
+ } } push @{$res->[1]}, 'Content-Length', length($part);