Issues with mailto: Links

Issues with mailto: Links

[Moritz Poldrack]

Hello,

I am a contributor to a mailclient named aerc. Today a user notified us
that they were unable to use the mailto: Link from one of your public
inboxes[0]. The reason for that is that the To: address is URL-encoded,
which is not in accordance with RFC6068 and therefore considered to be
invalid.

Currently the link is:
mailto:user%40gmail.com?…

but it should be:
mailto:user@gmail.com?…

Since I've not seen anywhere else to report bugs, I've sent it here, if
that was not correct please advise where to send this message.

[0]: https://list.orgmode.org/875yt0myv0.fsf@localhost/#R
--
Moritz Poldrack
https://moritz.sh

Re: Issues with mailto: Links

[Eric Wong]

Moritz Poldrack <moritz@poldrack.dev> wrote:
> Hello,
> 
> I am a contributor to a mailclient named aerc. Today a user notified us
> that they were unable to use the mailto: Link from one of your public
> inboxes[0]. The reason for that is that the To: address is URL-encoded,
> which is not in accordance with RFC6068 and therefore considered to be
> invalid.
> 
> Currently the link is:
> mailto:user%40gmail.com?…
> 
> but it should be:
> mailto:user@gmail.com?…

Thanks for the report, the patch below should fix it.
Feedback greatly appreciated, I'm still struggling with various
real-life stuff so extra eyes always appreciated since I'm more
scatter-brained than usual :<

> Since I've not seen anywhere else to report bugs, I've sent it here, if
> that was not correct please advise where to send this message.

Yes, this is the only place :)

> [0]: https://list.orgmode.org/875yt0myv0.fsf@localhost/#R

-----8<-----
Subject: [PATCH] view: do not escape `@' in mailto: URLs

It's probably not a perfect match for RFC 6068 atm, but perfect
is the enemy of good.

Reported-by: Moritz Poldrack <moritz@poldrack.dev>
Link: https://public-inbox.org/meta/CKJSWGSZFKMX.3VUSIYE955Z9X@Archetype/
---
 lib/PublicInbox/Reply.pm | 21 +++++++++++++++------
 t/plack.t                |  1 +
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/lib/PublicInbox/Reply.pm b/lib/PublicInbox/Reply.pm
index d96fadfc..2dda4d82 100644
--- a/lib/PublicInbox/Reply.pm
+++ b/lib/PublicInbox/Reply.pm
@@ -1,11 +1,11 @@
-# Copyright (C) 2014-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 
 # For reply instructions and address generation in WWW UI
 package PublicInbox::Reply;
 use strict;
-use warnings;
-use URI::Escape qw/uri_escape_utf8/;
+use v5.10.1;
+use URI::Escape ();
 use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href);
 use PublicInbox::Address;
 use PublicInbox::MID qw(mid_clean);
@@ -13,6 +13,15 @@ use PublicInbox::Config;
 
 *squote_maybe = \&PublicInbox::Config::squote_maybe;
 
+# TODO: read RFC 6068 more closely and fix as-needed (though checking for
+# things like `[]' symmetry may not be worth it)
+sub rfc6068_escape {
+	my ($s) = @_;
+	utf8::encode($s);
+	$s =~ s!([^A-Za-z0-9\-\._~\@])!$URI::Escape::escapes{$1}!ge;
+	$s;
+}
+
 sub add_addrs {
 	my ($to, $cc, @addrs) = @_;
 	foreach my $address (@addrs) {
@@ -81,8 +90,8 @@ sub mailto_arg_link {
 		# no $subj for $href below
 	} else {
 		push @arg, "--to=$to";
-		$to = uri_escape_utf8($to);
-		$subj = uri_escape_utf8($subj);
+		$to = rfc6068_escape($to);
+		$subj = rfc6068_escape($subj);
 	}
 	my @cc = sort values %$cc;
 	$cc = '';
@@ -94,7 +103,7 @@ sub mailto_arg_link {
 				"--cc=$addr";
 			} @cc);
 		} else {
-			$cc = '&Cc=' . uri_escape_utf8(join(',', @cc));
+			$cc = '&Cc=' . rfc6068_escape(join(',', @cc));
 			push(@arg, map { "--cc=$_" } @cc);
 		}
 	}
diff --git a/t/plack.t b/t/plack.t
index e4dedce6..a5fd54c9 100644
--- a/t/plack.t
+++ b/t/plack.t
@@ -85,6 +85,7 @@ test_psgi($app, sub {
 	my ($cb) = @_;
 	my $res = $cb->(GET('http://example.com/test/crlf@example.com/'));
 	is($res->code, 200, 'retrieved CRLF as HTML');
+	like($res->content, qr/mailto:me\@example/, 'no %40, per RFC 6068');
 	unlike($res->content, qr/\r/, 'no CR in HTML');
 	$res = $cb->(GET('http://example.com/test/crlf@example.com/raw'));
 	is($res->code, 200, 'retrieved CRLF raw');

Re: Issues with mailto: Links

[Moritz Poldrack]

On Wed Jun 8, 2022 at 12:47 PM CEST, Eric Wong wrote:
> Moritz Poldrack <moritz@poldrack.dev> wrote:
> > Hello,
> >
> > I am a contributor to a mailclient named aerc. Today a user notified us
> > that they were unable to use the mailto: Link from one of your public
> > inboxes[0]. The reason for that is that the To: address is URL-encoded,
> > which is not in accordance with RFC6068 and therefore considered to be
> > invalid.
> >
> > Currently the link is:
> > mailto:user%40gmail.com?…
> >
> > but it should be:
> > mailto:user@gmail.com?…
>
> Thanks for the report, the patch below should fix it.
> Feedback greatly appreciated, I'm still struggling with various
> real-life stuff so extra eyes always appreciated since I'm more
> scatter-brained than usual :<
>
> > Since I've not seen anywhere else to report bugs, I've sent it here, if
> > that was not correct please advise where to send this message.
>
> Yes, this is the only place :)
>
> > [0]: https://list.orgmode.org/875yt0myv0.fsf@localhost/#R
>
> -----8<-----
> Subject: [PATCH] view: do not escape `@' in mailto: URLs

Important: only the @ after the ? (in query parameters) have to be
escaped.

mailto:user@gmail.com?cc=list%40mailinglist.org

>
> It's probably not a perfect match for RFC 6068 atm, but perfect
> is the enemy of good.
>
> Reported-by: Moritz Poldrack <moritz@poldrack.dev>
> Link: https://public-inbox.org/meta/CKJSWGSZFKMX.3VUSIYE955Z9X@Archetype/
> ---
>  lib/PublicInbox/Reply.pm | 21 +++++++++++++++------
>  t/plack.t                |  1 +
>  2 files changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/lib/PublicInbox/Reply.pm b/lib/PublicInbox/Reply.pm
> index d96fadfc..2dda4d82 100644
> --- a/lib/PublicInbox/Reply.pm
> +++ b/lib/PublicInbox/Reply.pm
> @@ -1,11 +1,11 @@
> -# Copyright (C) 2014-2021 all contributors <meta@public-inbox.org>
> +# Copyright (C) all contributors <meta@public-inbox.org>
>  # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
>
>  # For reply instructions and address generation in WWW UI
>  package PublicInbox::Reply;
>  use strict;
> -use warnings;
> -use URI::Escape qw/uri_escape_utf8/;
> +use v5.10.1;
> +use URI::Escape ();
>  use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href);
>  use PublicInbox::Address;
>  use PublicInbox::MID qw(mid_clean);
> @@ -13,6 +13,15 @@ use PublicInbox::Config;
>
>  *squote_maybe = \&PublicInbox::Config::squote_maybe;
>
> +# TODO: read RFC 6068 more closely and fix as-needed (though checking for
> +# things like `[]' symmetry may not be worth it)
> +sub rfc6068_escape {
> +	my ($s) = @_;
> +	utf8::encode($s);
> +	$s =~ s!([^A-Za-z0-9\-\._~\@])!$URI::Escape::escapes{$1}!ge;
> +	$s;
> +}
> +
>  sub add_addrs {
>  	my ($to, $cc, @addrs) = @_;
>  	foreach my $address (@addrs) {
> @@ -81,8 +90,8 @@ sub mailto_arg_link {
>  		# no $subj for $href below
>  	} else {
>  		push @arg, "--to=$to";
> -		$to = uri_escape_utf8($to);
> -		$subj = uri_escape_utf8($subj);
> +		$to = rfc6068_escape($to);
> +		$subj = rfc6068_escape($subj);
>  	}
>  	my @cc = sort values %$cc;
>  	$cc = '';
> @@ -94,7 +103,7 @@ sub mailto_arg_link {
>  				"--cc=$addr";
>  			} @cc);
>  		} else {
> -			$cc = '&Cc=' . uri_escape_utf8(join(',', @cc));
> +			$cc = '&Cc=' . rfc6068_escape(join(',', @cc));
>  			push(@arg, map { "--cc=$_" } @cc);
>  		}
>  	}
> diff --git a/t/plack.t b/t/plack.t
> index e4dedce6..a5fd54c9 100644
> --- a/t/plack.t
> +++ b/t/plack.t
> @@ -85,6 +85,7 @@ test_psgi($app, sub {
>  	my ($cb) = @_;
>  	my $res = $cb->(GET('http://example.com/test/crlf@example.com/'));
>  	is($res->code, 200, 'retrieved CRLF as HTML');
> +	like($res->content, qr/mailto:me\@example/, 'no %40, per RFC 6068');
>  	unlike($res->content, qr/\r/, 'no CR in HTML');
>  	$res = $cb->(GET('http://example.com/test/crlf@example.com/raw'));
>  	is($res->code, 200, 'retrieved CRLF raw');

--
Moritz Poldrack
https://moritz.sh

[PATCH v2] view: do not escape first `@' in mailto: URLs

[Eric Wong]

Moritz Poldrack <moritz@poldrack.dev> wrote:
> Important: only the @ after the ? (in query parameters) have to be
> escaped.
> 
> mailto:user@gmail.com?cc=list%40mailinglist.org

Ah, thanks.  Here's an updated version:

---------8<---------
Subject: [PATCH] view: do not escape first `@' in mailto: URLs

It's probably not a perfect match for RFC 6068 atm, but perfect
is the enemy of good.

Reported-by: Moritz Poldrack <moritz@poldrack.dev>
Link: https://public-inbox.org/meta/CKJSWGSZFKMX.3VUSIYE955Z9X@Archetype/
---
 lib/PublicInbox/Reply.pm | 9 ++++++---
 t/plack.t                | 1 +
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/PublicInbox/Reply.pm b/lib/PublicInbox/Reply.pm
index d96fadfc..592dfb62 100644
--- a/lib/PublicInbox/Reply.pm
+++ b/lib/PublicInbox/Reply.pm
@@ -1,10 +1,10 @@
-# Copyright (C) 2014-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 
 # For reply instructions and address generation in WWW UI
 package PublicInbox::Reply;
 use strict;
-use warnings;
+use v5.10.1;
 use URI::Escape qw/uri_escape_utf8/;
 use PublicInbox::Hval qw(ascii_html obfuscate_addrs mid_href);
 use PublicInbox::Address;
@@ -81,7 +81,6 @@ sub mailto_arg_link {
 		# no $subj for $href below
 	} else {
 		push @arg, "--to=$to";
-		$to = uri_escape_utf8($to);
 		$subj = uri_escape_utf8($subj);
 	}
 	my @cc = sort values %$cc;
@@ -106,6 +105,10 @@ sub mailto_arg_link {
 	# anyways.
 	return (\@arg, '', $reply_to_all) if $obfs;
 
+	# keep `@' instead of using `%40' for RFC 6068
+	utf8::encode($to);
+	$to =~ s!([^A-Za-z0-9\-\._~\@])!$URI::Escape::escapes{$1}!ge;
+
 	# order matters, Subject is the least important header,
 	# so it is last in case it's lost/truncated in a copy+paste
 	my $href = "mailto:$to?In-Reply-To=$irt${cc}&Subject=$subj";
diff --git a/t/plack.t b/t/plack.t
index e4dedce6..a5fd54c9 100644
--- a/t/plack.t
+++ b/t/plack.t
@@ -85,6 +85,7 @@ test_psgi($app, sub {
 	my ($cb) = @_;
 	my $res = $cb->(GET('http://example.com/test/crlf@example.com/'));
 	is($res->code, 200, 'retrieved CRLF as HTML');
+	like($res->content, qr/mailto:me\@example/, 'no %40, per RFC 6068');
 	unlike($res->content, qr/\r/, 'no CR in HTML');
 	$res = $cb->(GET('http://example.com/test/crlf@example.com/raw'));
 	is($res->code, 200, 'retrieved CRLF raw');

Re: [PATCH v2] view: do not escape first `@' in mailto: URLs

[Moritz Poldrack]

Can't be of much help regarding CR since my level of Perl ends at
regular expressions. But the basics look fine to me.