Mailing List Archive

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

AXB <axb.lists@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Severity|major |blocker

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #1 from AXB <axb.lists@gmail.com> ---

sample URI:

<a href="https://example.com/very/legit/url" target="_blank" rel="noreferrer"
data-saferedirecturl="https://www.google.com/url?q=https://example.org/very/evil/url&amp;source=gmail&amp;ust=123456789/*&amp;usg=laksjdflasi">Update
user@example.com now</a>

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

Kevin A. McGrail <kmcgrail@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@apache.org
Target Milestone|Undefined |4.0.0

--- Comment #2 from Kevin A. McGrail <kmcgrail@apache.org> ---
Good catch, AXB.

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

John Hardin <jhardin@impsec.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org

--- Comment #3 from John Hardin <jhardin@impsec.org> ---
underway

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

John Hardin <jhardin@impsec.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED

--- Comment #4 from John Hardin <jhardin@impsec.org> ---
Modified: trunk/lib/Mail/SpamAssassin/HTML.pm
Added: trunk/t/uri_saferedirect.t
Committed revision 1881911.

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #5 from John Hardin <jhardin@impsec.org> ---
Do we want to backport this to 3.4?

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #6 from AXB <axb.lists@gmail.com> ---
(In reply to John Hardin from comment #5)
> Do we want to backport this to 3.4?

if you can, that would be great,

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #7 from John Hardin <jhardin@impsec.org> ---
Modified: branches/3.4
Modified: branches/3.4/lib/Mail/SpamAssassin/HTML.pm
Added: branches/3.4/t/uri_saferedirect.t
Committed revision 1881912.

--
You are receiving this mail because:
You are the assignee for the bug.

On Mon, 21 Sep 2020, bugzilla-daemon@spamassassin.apache.org wrote:

> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857
>
> --- Comment #6 from AXB <axb.lists@gmail.com> ---
> (In reply to John Hardin from comment #5)
>> Do we want to backport this to 3.4?
>
> if you can, that would be great,

I just checked that in, and then the "R-T-C" light went on above my head.
:(

Should I revert that from the 3.4 branch pending review and approval by
others?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #7: In ten years nobody will remember
the details of caliber, stance, or tactics. They will only remember
who lived.
-----------------------------------------------------------------------
43 days until the Presidential Election

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #8 from Kevin A. McGrail <kmcgrail@apache.org> ---
Thanks for the backport. How safe do you feel the change is?

--
You are receiving this mail because:
You are the assignee for the bug.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #9 from Kevin A. McGrail <kmcgrail@apache.org> ---
Nevermind, I see it now. A test and a 3 line patch +1 for 3.4

--
You are receiving this mail because:
You are the assignee for the bug.

I voted +1 retroactively but yeah, I want to get 3.4.5 done and get
4.0.0 as our only focus.  Still not sure when but we are trying to get
4.0 into production tests too!

On 9/21/2020 2:47 PM, John Hardin wrote:
> I just checked that in, and then the "R-T-C" light went on above my
> head. :(
>
> Should I revert that from the 3.4 branch pending review and approval
> by others?

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7857

--- Comment #10 from John Hardin <jhardin@impsec.org> ---
I just noticed an apparent error in the antipatterns in the test script that I
cloned:

185 invalid_ltd.foo !invalid_tld
186 invalid_ltd.bar !invalid_tld
187 invalid_ltd.xyzzy !invalid_tld
188 invalid_ltd.co.zz !invalid_tld
189
190 www.invalid_ltd.foo !invalid_tld
191 www.invalid_ltd.bar !invalid_tld
192 www.invalid_ltd.xyzzy !invalid_tld
193 www.invalid_ltd.co.zz !invalid_tld

Shouldn't the "_ltd" / "_tld" bit match to ensure the invalid TLD is not
captured as a URI?

Or are these essentially NOP'd out by mangling because SA is not doing
valid-TLD filtering? If so, should these be explicitly commented out instead of
being mangled so they pass? Like this antipattern:

222 #keyword:sportscar !sportscar

The SVN history shows it's been that way since the initial commit.

--
You are receiving this mail because:
You are the assignee for the bug.