From 59438d115d1cf52d12258b5d94bae5219daaae41 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Sat, 12 Apr 2014 01:06:58 +0000
Subject: [PATCH] cgi: ensure we unescape MIDs correctly in URLs

MIDs may have strange characters in them, so we need to handle
escaping/unescaping properly to avoid broken links or worse.
---
 public-inbox.cgi |  3 ++-
 t/cgi.t          | 39 ++++++++++++++++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/public-inbox.cgi b/public-inbox.cgi
index 313a4f22..1765cf45 100755
--- a/public-inbox.cgi
+++ b/public-inbox.cgi
@@ -15,6 +15,7 @@ use warnings;
 use CGI qw(:cgi :escapeHTML -nosticky); # PSGI/FastCGI/mod_perl compat
 use Encode qw(decode_utf8);
 use PublicInbox::Config;
+use URI::Escape qw(uri_unescape);
 use Digest::SHA qw(sha1_hex);
 our $LISTNAME_RE = qr!\A(?:/.*?)?/([\w\.\-]+)!;
 our $pi_config;
@@ -102,7 +103,7 @@ sub invalid_list {
 sub invalid_list_mid {
 	my ($ctx, $listname, $mid) = @_;
 	my $ret = invalid_list($ctx, $listname, $mid) and return $ret;
-	$ctx->{mid} = $mid;
+	$ctx->{mid} = uri_unescape($mid);
 	undef;
 }
 
diff --git a/t/cgi.t b/t/cgi.t
index 39242bce..3ae87981 100644
--- a/t/cgi.t
+++ b/t/cgi.t
@@ -39,9 +39,9 @@ my $cfgpfx = "publicinbox.test";
 	}
 }
 
+my $failbox = "$home/fail.mbox";
+local $ENV{PI_FAILBOX} = $failbox;
 {
-	my $failbox = "$home/fail.mbox";
-	local $ENV{PI_FAILBOX} = $failbox;
 	local $ENV{HOME} = $home;
 	local $ENV{RECIPIENT} = $addr;
 
@@ -126,9 +126,35 @@ EOF
 	# more checks in t/feed.t
 }
 
+# message-id pages
 {
 	local $ENV{HOME} = $home;
-	my $res = cgi_run("/test/m/blahblah\@example.com.txt");
+	my $slashy_mid = 'slashy/asdf@example.com';
+	my $reply = Email::Simple->new(<<EOF);
+From: You <you\@example.com>
+To: Me <me\@example.com>
+Cc: $addr
+In-Reply-To: <blah\@example.com>
+Message-Id: <$slashy_mid>
+Subject: Re: hihi
+Date: Thu, 01 Jan 1970 00:00:01 +0000
+
+slashy
+EOF
+	my $in = $reply->as_string;
+
+	{
+		local $ENV{HOME} = $home;
+		local $ENV{RECIPIENT} = $addr;
+		run_with_env({PATH => $main_path}, [$mda], \$in);
+	}
+	local $ENV{GIT_DIR} = $maindir;
+
+	my $res = cgi_run("/test/m/slashy%2fasdf%40example.com.txt");
+	like($res->{body}, qr/Message-Id: <\Q$slashy_mid\E>/,
+		"slashy mid.txt hit");
+
+	$res = cgi_run("/test/m/blahblah\@example.com.txt");
 	like($res->{body}, qr/Message-Id: <blahblah\@example\.com>/,
 		"mid.txt hit");
 
@@ -151,6 +177,13 @@ EOF
 	like($res->{head}, qr/Status: 404 Not Found/, "mid.html miss");
 }
 
+{
+	local $ENV{HOME} = $home;
+	my $res = cgi_run("/test/");
+	like($res->{body}, qr/slashy%2Fasdf%40example\.com/,
+		"slashy URL generated correctly");
+}
+
 done_testing();
 
 sub run_with_env {
-- 
2.44.0