Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: link checking missing scheme #10073

Merged
merged 1 commit into from
Sep 2, 2024
Merged

fix: link checking missing scheme #10073

merged 1 commit into from
Sep 2, 2024

Conversation

hamza221
Copy link
Contributor

No description provided.

@hamza221 hamza221 self-assigned this Aug 30, 2024
@hamza221 hamza221 force-pushed the fix/link-checking branch 2 times, most recently from 9315d99 to f5b2dc7 Compare August 30, 2024 11:44
ChristophWurst
ChristophWurst reviewed Aug 30, 2024
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This smells like a case that can be unit-tested 😈

lib/Service/PhishingDetection/LinkCheck.php Outdated Show resolved Hide resolved
lib/Service/PhishingDetection/LinkCheck.php Outdated Show resolved Hide resolved
@SebastianKrupinski
Copy link
Contributor

Does the code check for dangerous URL schemes like "file://" or "ftp://"?

@hamza221
Copy link
Contributor Author

Does the code check for dangerous URL schemes like "file://" or "ftp://"?

How are these schemes dangerous for phishing? sorry my knowledge is limited about the cases.
Let's discuss either in a private message and I'll open an issue for it, or you can also open one and assign me.

@kesselb
Copy link
Contributor

kesselb commented Aug 30, 2024
edited
Loading

This pull request is about fixing a problem we discussed in the public chat.
As shown below the warning is triggered even if the urls are using the same host.

image

The reason is that parse_url does not work if the given string does not contain something that looks like a protocol:
https://3v4l.org/cap3C (it would also work to use "dummy://" instead of "http://").

An additional check, does the mail contain links with unusual protocols, sounds like a good enhancement to me.
I'd say that should go into a new issue.

@hamza221 hamza221 marked this pull request as draft August 30, 2024 16:35
@hamza221 hamza221 mentioned this pull request Aug 30, 2024
Merged
@hamza221 hamza221 marked this pull request as ready for review August 30, 2024 16:38
@SebastianKrupinski
Copy link
Contributor

Does the code check for dangerous URL schemes like "file://" or "ftp://"?

How are these schemes dangerous for phishing? sorry my knowledge is limited about the cases. Let's discuss either in a private message and I'll open an issue for it, or you can also open one and assign me.

I don't know if they are dangerous for phishing specifically but they are dangerous in general. For instance "ftp://domain/folder/file.doc" will trigger the download and opening of a external file. "file://folder/file.exe" will trigger the opening of a local executable. This in not a blocker for me, just thought the warning could be included also.

@kesselb kesselb merged commit 2490ae8 into main Sep 2, 2024
29 of 30 checks passed
@kesselb kesselb deleted the fix/link-checking branch September 2, 2024 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kesselb kesselb kesselb approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst ChristophWurst is a code owner

@SebastianKrupinski SebastianKrupinski Awaiting requested review from SebastianKrupinski

Assignees

@hamza221 hamza221

Labels
3. to review bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hamza221 @SebastianKrupinski @kesselb @ChristophWurst