https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8110
Bug ID: 8110
Summary: DecodeShortURLs should offer per-shortener setting to
override UA
Product: Spamassassin
Version: 4.0.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
The default UA in DecodeShortURLs tries to emulate a browser, which for many
redirectors is necessary. However, for certain redirectors this causes an
undesired change in behavior.
Compare (using URL found in spam, originally leading to a phishing page):
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64 ;x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/101.0.4951.67 Safari/537.36)" -I https://t.co/QXabAdmraO
This uses the default UA, and results in a 200, with a meta refresh in the
body. No trouble for a browser, but trouble for us.
But when using a non-browser (or at least specifically a "curl/n.nn.n") UA:
curl -I https://t.co/QXabAdmraO
You get a 301 with a location header, which works fine.
To get around this, there could be a config setting to override UA on a
per-shortener basis, the same way url_shortener_get lets you override method.
For maximum flexibility, this could even be a string input, so you could set an
entirely custom UA for an individual shortener.
--
You are receiving this mail because:
You are the assignee for the bug.
