When trying to validate links for VOTE and NOTICE, the demo code attempts to
retrieve the message from lists.apache.org.
# attempt to fetch the page
if @votelink =~ /^https?:/i
uri = URI.parse(@votelink)
http = Net::HTTP.new(uri.host.untaint, uri.port)
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
request = Net::HTTP::Get.new(uri.request_uri.untaint)
response = http.request(request)
unless response.code.to_i < 400
_error "HTTP status #{response.code} for #{@votelink}"
_focus :votelink
end
else
_error 'Only http(s) links are accepted for vote links'
_focus :votelink
end
But lists.apache.org does not complain about invalid links. It happily returns
*nothing* with no errors.
try this:
curl https://lists.apache.org/thread.html/11@%3Csecurity.apache.org%3E
It returns a good page with no content. Probably a good DOS attack defense.
I think we need to check more than response.code < 400. Like maybe some content?
Craig
Craig L Russell
[email protected]
