https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8373
Bug ID: 8373
Summary: Plugin::Redirectors sometimes downgrades https to http
before sending requests
Product: Spamassassin
Version: 4.0.2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
This bug also affects trunk. Starting at line 866 in trunk:
# Check parameters regexp and https:// in the querystring
if (($params =~ /(?:\?|\&)$rreg/gis) or ($params =~
/(?:\/|\_|\=)(?:https?:)?\/\/(.*)/)) {
dbg("Found redirection with path $params");
my $newuri = $1;
if($newuri !~ /^http/) {
$newuri = 'http://' . $newuri;
}
return $newuri;
If only that second regex hits, it will capture starting with the path,
ignoring the scheme, and then 'http://' will be prepended. Most of the time,
this means stripping https, and downgrading it to http. I'd suggest it should
capture the scheme too:
$params =~ /(?:\/|\_|\=)((?:https?:)?\/\/.*)/
Note that the first regex does capture the scheme, if present.
--
You are receiving this mail because:
You are the assignee for the bug.
