On 13 November 2017 at 02:36, Craig Russell <apache....@gmail.com> wrote:
> When trying to validate links for VOTE and NOTICE, the demo code attempts to
> retrieve the message from lists.apache.org.
>
> # attempt to fetch the page
> if @votelink =~ /^https?:/i
> uri = URI.parse(@votelink)
> http = Net::HTTP.new(uri.host.untaint, uri.port)
> if uri.scheme == 'https'
> http.use_ssl = true
> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
> end
> request = Net::HTTP::Get.new(uri.request_uri.untaint)
> response = http.request(request)
> unless response.code.to_i < 400
> _error "HTTP status #{response.code} for #{@votelink}"
> _focus :votelink
> end
> else
> _error 'Only http(s) links are accepted for vote links'
> _focus :votelink
> end
>
> But lists.apache.org does not complain about invalid links. It happily
> returns *nothing* with no errors.
>
> try this:
>
> curl https://lists.apache.org/thread.html/11@%3Csecurity.apache.org%3E
>
> It returns a good page with no content. Probably a good DOS attack defense.
>
> I think we need to check more than response.code < 400. Like maybe some
> content?
That link is intended for browsers, and will pop-up an error message
using Javascript.
There are other URLs that are more suitable for automated processing,
for example:
https://github.com/apache/incubator-ponymail/blob/master/docs/API.md
It's not documented, but thread.html actually invokes thread.lua:
curl 'https://lists.apache.org/api/thread.lua?id=11@%3Csecurity.apache.org%3E'
which responds with JSON.
*However*
note that private mails require the user to be logged in.
I've no idea how to do that from code.
> Craig
>
> Craig L Russell
> c...@apache.org
>
