Bug 8111 - DecodeShortURLs should support meta refresh
Summary: DecodeShortURLs should support meta refresh
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: 4.0.0
Hardware: PC Linux
: P2 enhancement
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-22 02:37 UTC by Christer Mjellem Strand
Modified: 2023-01-22 02:37 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christer Mjellem Strand 2023-01-22 02:37:39 UTC 
Some shorteners seem to not use HTTP headers for redirection at all (at least under certain circumstances, see bug #8110), but rather meta refresh in body. While this would obviously be trickier to support in DecodeShortURLs, it would be sweet if it was possible.

Example seen in spam (when using default spoofed browser UA, again see bug #8110), originally leading to a phishing page:

https://t.co/QXabAdmraO

Honorable mention also goes to JS methods like window.location, location.reload, and any others I haven't thought of. Would probably be possible to regex all of these, rather than involve complex parsing libs, though the latter is of course also possible.