Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception is raised when html body contains url with 'src' link #25

Closed
iinfo-dev-mk opened this issue Apr 5, 2016 · 6 comments
Closed

Exception is raised when html body contains url with 'src' link #25

iinfo-dev-mk opened this issue Apr 5, 2016 · 6 comments

Comments

@iinfo-dev-mk
Copy link

@iinfo-dev-mk iinfo-dev-mk commented Apr 5, 2016

Creating email message with html body, which contains query string with "src" name in some url, throws FileNotFoundException.

$message = new Nette\Mail\Message();
$message->setHtmlBody("<a href='test.php?src=SOME'>some link</a>");

throws FileNotFoundException with message "Unable to read file /SOME"

Because it completely crashes sending particular email, it's serious bug.

Maybe there are another use cases with src string in html, which can also hit this bug.

@Unlink

This comment has been minimized.

Copy link

@Unlink Unlink commented Apr 5, 2016

Problem is in this regex https://github.com/nette/mail/blob/master/src/Mail/Message.php#L227
It should be modified to st. like this

#\s+(src\s*=\s*|background\s*=\s*|url\()(["\']?)(?![a-z]+:|[/\\#])([^"\')\s]+)#i
@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Apr 5, 2016

Workaround: $message->setHtmlBody($html, FALSE)

@iinfo-dev-mk

This comment has been minimized.

Copy link
Author

@iinfo-dev-mk iinfo-dev-mk commented Apr 6, 2016

@dg This workaround doesn't work for our case. Code example in issue description is narrowed for better tracing cause of issue.

Our case is emailing html template with some assets (images, etc) and user defined parts. Problematic url is in one of user defined part and we cannot change this one.

Be aware, that it is also security issue. Some sensitive attachments can be send when tricky html string is passed.

@iinfo-dev-mk iinfo-dev-mk changed the title Exception is raised when html body containts url with 'src' link Exception is raised when html body contains url with 'src' link Apr 6, 2016
@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Apr 6, 2016

Can you send pull request?

@iinfo-dev-mk

This comment has been minimized.

Copy link
Author

@iinfo-dev-mk iinfo-dev-mk commented Apr 6, 2016

What do you think, it's change of regexp sufficient?

There can be for example email with some html snippet which is explanation of markup, html email body can have some Hey, you have bad path in your image url instead of <pre><img src="/images/main.png"></pre>, it must be <pre><img scr="/images/main2.png"></pre>

It fails also with Exception, but maybe it's another issue.

I don't know git, but I can try to prepare pull request if regexp change is sufficient for you. For me it is.

@dg

This comment has been minimized.

Copy link
Member

@dg dg commented Apr 10, 2016

Content inside <pre> must be encoded <pre>&lt;img scr="/images/main2.png"&gt;</pre>.

@dg dg closed this in 0fe2ec6 Apr 10, 2016
dg added a commit that referenced this issue Apr 10, 2016
dg added a commit that referenced this issue Apr 10, 2016
dg added a commit that referenced this issue Apr 10, 2016
dg added a commit that referenced this issue Apr 10, 2016
dg added a commit that referenced this issue Apr 10, 2016
dg added a commit that referenced this issue Apr 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.