Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File paths of archived messages may be exposed in the result of arcsearch #1364

Closed
ikedas opened this issue Mar 24, 2022 · 0 comments · Fixed by #1365
Closed

File paths of archived messages may be exposed in the result of arcsearch #1364

ikedas opened this issue Mar 24, 2022 · 0 comments · Fixed by #1365
Labels
bug security
Milestone
6.2.70

Comments

@ikedas
Copy link
Member

ikedas commented Mar 24, 2022
edited
Loading

Version

All.

Installation method

Any.

Expected behavior

Absolute file paths of archived messages should not be exposed through the operation with web interface.

Actual behavior

If the list name contains the metacharacter, e.g. +, the absolute file paths of the messages may be exposed in the result of arcsearch action of web interface.

Steps to reproduce

  1. Create a list with the name list+test.
  2. Post any messages to the list and fill its archive.
  3. Visit archive page of the list and then perform archive search.

The links to the messages in the search result are incorrect: They contain absolute file paths to the archived messages instead of their proper URLs.

Additional information

This flaw is found in the all releases of Sympa, since arcsearch feature has been introduced.
ikedas added a commit to ikedas/sympa that referenced this issue Mar 24, 2022
@ikedas
WWSympa: File paths of archived messages may be exposed in the result…
0f7640f 
… of arcsearch (sympa-community#1364)
@ikedas ikedas mentioned this issue Mar 24, 2022
Merged
ikedas added a commit that referenced this issue Apr 1, 2022
@ikedas
Merge pull request #1365 from ikedas/issue-1364 by ikedas
f6a9b30 
WWSympa: File paths of archived messages may be exposed in the result of arcsearch (#1364)
@ikedas ikedas added this to the 6.2.70 milestone Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
6.2.70
1 participant
@ikedas