On 13 November 2017 at 10:14, Daniel Gruno <[email protected]> wrote: > On 11/13/2017 11:08 AM, sebb wrote: >> On 13 November 2017 at 02:36, Craig Russell <[email protected]> wrote: >>> When trying to validate links for VOTE and NOTICE, the demo code attempts >>> to retrieve the message from lists.apache.org. >>> >>> # attempt to fetch the page >>> if @votelink =~ /^https?:/i >>> uri = URI.parse(@votelink) >>> http = Net::HTTP.new(uri.host.untaint, uri.port) >>> if uri.scheme == 'https' >>> http.use_ssl = true >>> http.verify_mode = OpenSSL::SSL::VERIFY_NONE >>> end >>> request = Net::HTTP::Get.new(uri.request_uri.untaint) >>> response = http.request(request) >>> unless response.code.to_i < 400 >>> _error "HTTP status #{response.code} for #{@votelink}" >>> _focus :votelink >>> end >>> else >>> _error 'Only http(s) links are accepted for vote links' >>> _focus :votelink >>> end >>> >>> But lists.apache.org does not complain about invalid links. It happily >>> returns *nothing* with no errors. >>> >>> try this: >>> >>> curl https://lists.apache.org/thread.html/11@%3Csecurity.apache.org%3E >>> >>> It returns a good page with no content. Probably a good DOS attack defense. >>> >>> I think we need to check more than response.code < 400. Like maybe some >>> content? >> >> That link is intended for browsers, and will pop-up an error message >> using Javascript. >> >> There are other URLs that are more suitable for automated processing, >> for example: >> >> https://github.com/apache/incubator-ponymail/blob/master/docs/API.md >> >> It's not documented, but thread.html actually invokes thread.lua: >> >> curl >> 'https://lists.apache.org/api/thread.lua?id=11@%3Csecurity.apache.org%3E' >> >> which responds with JSON. >> >> *However* >> >> note that private mails require the user to be logged in. >> I've no idea how to do that from code. > > Create a fake LDAP user with member access (infra can help), log in, get > the cookie, and thanks to pony mail storing cookies foreeeever (for > now), you can use that cookie to see private email. > > Alternately, we could whitelist the whimsy VM somehow on lists.a.o for > access to everything.
Or allow public access to check if a particular mail exists or not, without returning any content. This could expose if a particular list name is served, but that is probably not a big deal. Also, it depends when/how the check is to be made. If the check is being made by the Secretary whilst logged in to Whimsy, then they just need to ensure that they are also logged in to lists.a.o. The code could generate the link to check the email. The link would then be processed by the local browser which will have the cookie. >> >>> Craig >>> >>> Craig L Russell >>> [email protected] >>> >
