[ET Trac] [Einstein Toolkit] #719: Mailing lists could have a link to the archived version of the message
Einstein Toolkit
trac-noreply at einsteintoolkit.org
Tue Sep 9 13:57:39 CDT 2014
#719: Mailing lists could have a link to the archived version of the message
--------------------------+-------------------------------------------------
Reporter: hinder | Owner: knarf
Type: enhancement | Status: assigned
Priority: minor | Milestone:
Component: Other | Version:
Resolution: | Keywords:
--------------------------+-------------------------------------------------
Comment (by knarf):
Decorate.py:
It gets message-id, and set's it to 'n/a' if not available, but then cuts
everything after a "@" by using [1:msgid.find("@")]. This is wrong in case
there is no "@" in the string, which in particular would be the case for
the earlier caught 'n/a'. Is this first patch supposed to be superseeded
by the second?
HyperArch.py:
Is the first patch supposed to be superseeded by the second?
The second patch: It seems to still use only the limited set of
([a-zA-Z0-9-]+ for parsing, and it still falls back to the real message ID
in case it does not fall into that - which still opens a security hole.
The set should be wider (see comment:5) and the archived_url has to be
sanitized, with the message ID being not trusted.
Where is {{{d['archive_url']}}} finally used? It is set by
Decorate.py.2.patch
--
Ticket URL: <https://trac.einsteintoolkit.org/ticket/719#comment:11>
Einstein Toolkit <http://einsteintoolkit.org>
The Einstein Toolkit
More information about the Trac
mailing list