Bug #19656 for MIME-Lite-HTML: unknown URI schemes cause rewrite to fail

Thu Jun 01 21:13:11 2006 rjbs [...] cpan.org - Ticket created

Subject:

unknown URI schemes cause rewrite to fail

When rewriting content in the &parse routine, the creation of new URI::WithBase objects should be eval-wrapped. Otherwise, MIME::Lite::HTML will fail when the HTML contains an href to a scheme that URI doesn't now about -- like javascript. In other words, this line: my $urlAbs = URI::WithBase->new($$url[2],$racinePage)->abs; should read: my $urlAbs = eval { URI::WithBase->new($$url[2],$racinePage)->abs; }; -- rjbs

Thu Jul 27 22:04:59 2006 rjbs [...] cpan.org - Correspondence added

This bug is nearly two months old. Is this distribution abandoned? -- rjbs

Thu Jul 27 22:05:03 2006 rjbs [...] cpan.org - Status changed from 'new' to 'open'

Tue Sep 05 21:34:34 2006 rjbs [...] cpan.org - Correspondence added

I sent the author another email about this. -- rjbs

Wed Sep 06 05:53:09 2006 alian [...] alianwebserver.com - Correspondence added

Show quoted text

> In other words, this line: > > my $urlAbs = URI::WithBase->new($$url[2],$racinePage)->abs; > > should read: > > my $urlAbs = eval { URI::WithBase->new($$url[2],$racinePage)->abs; };

Have you an example ? I try with: <img src="jjavascript:alert('http://alianwebserver.alianet');"> or <img src="javascript:alert('http://alianwebserver.alianet');"> or <a href="jjavascript:alert('http://alianwebserver.alianet');"> or <a href="javascript:alert('http://alianwebserver.alianet');"> withtout problem

Wed Sep 06 05:53:10 2006 alian [...] alianwebserver.com - Status changed from 'open' to 'stalled'

Wed Sep 06 09:37:53 2006 rjbs [...] cpan.org - Correspondence added

Wow! Reproducing this was a /lot/ harder than I thought! Fortunately, I still had the stack trace of this problem in our internal bug system. The issue is that: 1. unknown URI schemes lead to URI::_foreign objects 2. URI::URL extends URI::_foreign 3. these extensions cause it to die on unknown scheme /IF/ strict is set 4. strict is a global variable 5. something else somewhere is setting it Since I probably can't always control what will touch that global variable, the solution is either to: a. save old value of strict before rewriting, then restore b. eval the creation of the WithBase Since WithBase will never (I think!) end up being useful for _foreign URIs, I think that eval is simpler and more straightforward. -- rjbs

Wed Sep 06 09:37:54 2006 The RT System itself - Status changed from 'stalled' to 'open'

Wed Sep 06 09:39:30 2006 rjbs [...] cpan.org - Correspondence added

The attached script demonstrates this bug. -- rjbs

#!perl use strict; use warnings; use MIME::Lite::HTML; # This could be done by nearly anything anywhere in some other module: { require URI::URL; URI::URL->strict(1); } my $ml = MIME::Lite::HTML->new( IncludeType => 'extern', From => 'rjbs@rjbs.rjbs', To => 'rjbs@rjbs.rjbs', Subject => 'rjbs@rjbs.rjbs', ); my $html = <<'END_HTML'; <html> <body> Yourface. <a href="xxx://yourface">foo</a> <img src="xxx://yourface" /> </body> </html> END_HTML my $mlmail = $ml->parse( $html, "" );

Wed Sep 06 10:15:01 2006 rjbs [...] cpan.org - Correspondence added

After a LOT of grepping, I believe the culprit in my program was URI::Find. See its changelog: http://search.cpan.org/src/ROSCH/URI-Find-0.16/Changes They fixed this bug, but anyone else can re-introduce it, because it is global. Defensive programming suggests we assume that strict is on. -- rjbs

Wed Sep 06 10:59:48 2006 alian [...] alianwebserver.com - Correspondence added

On Wed Sep 06 09:39:30 2006, RJBS wrote: Show quoted text

> The attached script demonstrates this bug.

Ok with that, I understand and make the correct fix & add tests for that.

Thu Sep 07 08:41:14 2006 alian [...] alianwebserver.com - Status changed from 'open' to 'resolved'

Thu Sep 07 08:41:15 2006 alian [...] alianwebserver.com - Broken in 1.8 deleted

Thu Sep 07 08:41:15 2006 alian [...] alianwebserver.com - Fixed in 1.22 added