view: fix x-post links for relative urls

We need to make correct relative URL paths for users configuring
publicinbox.$NAME.url as relative URL paths (e.g. matching the
inbox `$NAME').

Users of protocol-relative (e.g. `//$HOST/$NAME') and absolute URIs
(e.g `https://example.com/$NAME') were unaffected by this bug.
Users relying on publicinbox.nameIsUrl and omitting
publicinbox.*.url entries were also immune to this bug.

Automated tests are in progress and will come in a separate commit.

Reported-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Link: https://public-inbox.org/meta/20240909-muskox-of-illegal-engineering-dadeda@lemur/

diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 154e75379c3d6f7401b510bc0bf592c99ccb8c8e..37c910f85244e99f8e1f435b5f8c4d399edad9ac 100644 (file)
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -213,6 +213,7 @@ sub addr2urlmap ($) {
        @$ent;
 }
 
+# called by /$INBOX/$MSGID/[tT]/
 sub to_cc_html ($$$$) {
        my ($ctx, $eml, $field, $t) = @_;
        my @vals = $eml->header($field) or return ('', 0);
@@ -239,7 +240,14 @@ sub to_cc_html ($$$$) {
                }
                $line_len += length($n);
                $url = $addr2url->{lc($pair->[1] // '')};
-               $html .= $url ? qq(<a\nhref="$url$t">$n</a>) : $n;
+               # cross-inbox links are relative to /$CUR_INBOX/$MSGID/[tT]/
+               if ($url) {
+                       $url =~ m!\A(?:https?:)?//!i or
+                               substr $url, 0, 0, '../../../';
+                       $html .= qq(<a\nhref="$url$t">$n</a>);
+               } else {
+                       $html .= $n;
+               }
        }
        ($html, $len + $line_len);
 }
@@ -716,7 +724,12 @@ href="d/">diff</a>)</pre><pre>];
        $hbuf = ascii_html($hbuf);
        my $t = $ts ? '?t='.ts2str($ts) : '';
        my ($re, $addr2url) = addr2urlmap($ctx);
-       $hbuf =~ s!$re!qq(<a\nhref=").$addr2url->{lc $1}.qq($t">$1</a>)!sge;
+       # $url is relative to /$INBOX/$MSGID/
+       $hbuf =~ s#$re#
+               my ($addr, $url) = ($1, $addr2url->{lc $1});
+               substr $url, 0, 0, '../../' if $url !~ m!\A(?:https?:)?//!i;
+               qq(<a\nhref="$url$t">$addr</a>)
+               #sge;
        $ctx->{-title_html} = ascii_html(join(' - ', @title));
        if (my $obfs_ibx = $ctx->{-obfs_ibx}) {
                obfuscate_addrs($obfs_ibx, $hbuf);