https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8101
Bug ID: 8101 Summary: DecodeShortURLs fails to resolve chained relative location paths Product: Spamassassin Version: 4.0.0 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Plugins Assignee: dev@spamassassin.apache.org Reporter: dilld...@bjork.org Target Milestone: Undefined When an embedded URL in a message resolves to a relative location path, DecodeShortURLs fails to fully resolve it. This appears to be actively exploited in spam already, which is how I came across it. Example (random, not from a spam message) - note the double slash preceding path: https://bit.ly//1Zmfo8z This will return "location: /1Zmfo8z", which is a fully valid relative response. The plugin will however try to fetch the returned location header verbatim, rather than relative to the first request. Ideally the plugin should maintain a minimal state sufficient to fully handle all examples in section 5.4.1 of RFC 3986: https://www.rfc-editor.org/rfc/rfc3986#section-5.4 -- You are receiving this mail because: You are the assignee for the bug.