From 82537081c14148f18f5037490993f193dddd4ec1 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Mon, 16 Sep 2024 21:03:01 +0000
Subject: [PATCH] www: test address URL-fication

Probably more tests coming, but setup stuff is still on the slow
side.  While email addresses can be all sorts of uncommon
characters, I'm also fairly certain we can disallow the [&;<>]
set from being URL-fied.
---
 MANIFEST                |  1 +
 lib/PublicInbox/View.pm |  2 +-
 t/psgi_urlfication.t    | 71 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 t/psgi_urlfication.t

diff --git a/MANIFEST b/MANIFEST
index 34d3ef14a..3c4cefb43 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -589,6 +589,7 @@ t/psgi_multipart_not.t
 t/psgi_scan_all.t
 t/psgi_search.t
 t/psgi_text.t
+t/psgi_urlfication.t
 t/psgi_v2-new.eml
 t/psgi_v2-old.eml
 t/psgi_v2.t
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 5d4742925..275258e3f 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -74,7 +74,7 @@ sub addr2urlmap ($) {
 		while (my ($addr, $ibx) = each %$by_addr) {
 			# FIXME: use negative look(behind|ahead) in s// for
 			# `&' and `;' to make them not match \b
-			next if $addr =~ /\A(?:gt|lt|#[0-9]+)\z/;
+			next if $addr =~ /\A(?:[&;<>]|gt|lt|#[0-9]+)\z/;
 			$url = $ibx->base_url // $ibx->base_url($ctx->{env});
 			$addr2url{ascii_html($addr)} = ascii_html($url) if
 				defined $url
diff --git a/t/psgi_urlfication.t b/t/psgi_urlfication.t
new file mode 100644
index 000000000..673ded9fc
--- /dev/null
+++ b/t/psgi_urlfication.t
@@ -0,0 +1,71 @@
+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+# corner cases to abuse URL-fication
+use v5.12; use PublicInbox::TestCommon;
+use autodie;
+use PublicInbox::IO qw(write_file);
+require_mods(qw(DBD::SQLite Xapian psgi -httpd));
+require PublicInbox::Eml;
+require PublicInbox::WWW;
+
+my $ibx_a = create_inbox 'a', indexlevel => 'basic', sub {
+	my ($im, $ibx) = @_;
+	$im->add(PublicInbox::Eml->new(<<EOM)) or xbail;
+Date: Fri, 02 Oct 1993 00:00:04 +0000
+From: a\@example.com
+Message-ID: <xpost-addr-urlfic\@tion>
+To: <$ibx->{-primary_address}>
+Cc: <;>, <"foo>">, <amp&amp\@wtf>, <gt>, "<", ">", <lt>,
+	somethingelse\@example.com
+EOM
+};
+
+my $ibx_b = create_inbox 'b', indexlevel => 'basic', sub {
+	my ($im, $ibx) = @_;
+	$im->add(PublicInbox::Eml->new(<<EOM)) or xbail;
+Date: Fri, 02 Oct 1993 00:00:00 +0000
+Message-ID: <wh\@tever>
+From: b\@example.com
+To: <$ibx->{-primary_address}>
+Cc: <$ibx_a->{-primary_address}>
+EOM
+};
+
+my $tmpdir = tmpdir;
+my $cfgpath = "$tmpdir/public-inbox.config";
+
+write_file '>', $cfgpath, <<EOM;
+[publicinbox]
+	nameIsUrl = true
+[publicinbox "a"]
+	inboxdir = $ibx_a->{inboxdir}
+	address = $ibx_a->{-primary_address}
+	address = somethingelse\@example.com
+[publicinbox "b"]
+	inboxdir = $ibx_b->{inboxdir}
+	address = $ibx_b->{-primary_address}
+	address = ";"
+	address = &
+	address = gt
+	address = >
+	address = <
+EOM
+my $cfg = PublicInbox::Config->new($cfgpath);
+my $www = PublicInbox::WWW->new($cfg);
+my $env = { TMPDIR => "$tmpdir", PI_CONFIG => $cfgpath };
+my $client = sub {
+	my ($cb) = @_;
+	my $res = $cb->(GET('/a/xpost-addr-urlfic@tion/'));
+	my $content = $res->content;
+	for my $c ('&', ';', '<', '>') {
+		unlike $content, qr/>$c</s, "no bare `$c' from URL-ification";
+	}
+	like $content, qr/>somethingelse\@example\.com</s,
+		'address linkified';
+};
+
+test_psgi(sub { $www->call(@_) }, $client);
+test_httpd $env, $client;
+
+done_testing;
-- 
2.47.3