On 11/13/2017 11:08 AM, sebb wrote: > On 13 November 2017 at 02:36, Craig Russell <[email protected]> wrote: >> When trying to validate links for VOTE and NOTICE, the demo code attempts to >> retrieve the message from lists.apache.org. >> >> # attempt to fetch the page >> if @votelink =~ /^https?:/i >> uri = URI.parse(@votelink) >> http = Net::HTTP.new(uri.host.untaint, uri.port) >> if uri.scheme == 'https' >> http.use_ssl = true >> http.verify_mode = OpenSSL::SSL::VERIFY_NONE >> end >> request = Net::HTTP::Get.new(uri.request_uri.untaint) >> response = http.request(request) >> unless response.code.to_i < 400 >> _error "HTTP status #{response.code} for #{@votelink}" >> _focus :votelink >> end >> else >> _error 'Only http(s) links are accepted for vote links' >> _focus :votelink >> end >> >> But lists.apache.org does not complain about invalid links. It happily >> returns *nothing* with no errors. >> >> try this: >> >> curl https://lists.apache.org/thread.html/11@%3Csecurity.apache.org%3E >> >> It returns a good page with no content. Probably a good DOS attack defense. >> >> I think we need to check more than response.code < 400. Like maybe some >> content? > > That link is intended for browsers, and will pop-up an error message > using Javascript. > > There are other URLs that are more suitable for automated processing, > for example: > > https://github.com/apache/incubator-ponymail/blob/master/docs/API.md > > It's not documented, but thread.html actually invokes thread.lua: > > curl 'https://lists.apache.org/api/thread.lua?id=11@%3Csecurity.apache.org%3E' > > which responds with JSON. > > *However* > > note that private mails require the user to be logged in. > I've no idea how to do that from code.
Create a fake LDAP user with member access (infra can help), log in, get the cookie, and thanks to pony mail storing cookies foreeeever (for now), you can use that cookie to see private email. Alternately, we could whitelist the whimsy VM somehow on lists.a.o for access to everything. > >> Craig >> >> Craig L Russell >> [email protected] >>
