[Bug 7651] New: Invalid domains in uri parser

Mon, 05 Nov 2018 07:18:22 -0800 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7651

            Bug ID: 7651
           Summary: Invalid domains in uri parser
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Libraries
          Assignee: dev@spamassassin.apache.org
          Reporter: h...@hege.li
  Target Milestone: Undefined

As discussed on mailing list. Opening this to investigate what kinds of crap
end up in uri lists especially with the schemeless uri parser.

[a-z\d][a-z\d._-]{0,251}\.${tldsRE}

Seems a bit simple since it can match anything like a
"1-------------------------------------------------------------------------------------------------------------.com".

Perhaps check hostname validity more carefully, characters, individual part
length (<64) etc.


On Mon, Nov 05, 2018 at 02:44:29PM +0000, RW wrote:
> On Sun, 04 Nov 2018 19:28:02 -0500
> Bill Cole wrote:
>
> > On 4 Nov 2018, at 16:27, Henrik K wrote:
> >
> > > Can someone actually register and use a domain with underscore in
> > > it?
> >
> > No.
> >
> ...
> > I support the concept of not treating domain-name-like strings that
> > are not valid hostnames as if they are URI domain-parts. That would
> > mean anything with an underscore. It MIGHT be more prudent to exempt
> > leading-underscore labels, as those can be legal domain names that
> > could have CNAME or DNAME records mapping them to working hostnames.
>
> I created an A-record at Namecheap for a_b.mydomain.tld and
> neither firefox nor chromium had a problem with it.
>
> I think the ideal would be to allow underscores when parsing-out domain
> names and then discard anything with an underscore in the registered
> part.

I've applied this to trunk.  Since it's mainly problem with unnecessary
URIBL queries, that's what I've patched for now.  Need to ponder if it's ok
to filter completely out of get_uri_detail_list internals.


Sending        lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
Transmitting file data .done
Committing transaction...
Committed revision 1845807.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to