mirror of https://gitlab.com/bashrc2/epicyon
Option to allow access to the local network
This might be useful for mesh networks or private networksmain
parent
b889c8dfdd
commit
5364b71616
|
@ -151,7 +151,7 @@ def htmlReplaceQuoteMarks(content: str) -> str:
|
|||
return newContent
|
||||
|
||||
|
||||
def dangerousMarkup(content: str) -> bool:
|
||||
def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool:
|
||||
"""Returns true if the given content contains dangerous html markup
|
||||
"""
|
||||
if '<' not in content:
|
||||
|
@ -159,6 +159,8 @@ def dangerousMarkup(content: str) -> bool:
|
|||
if '>' not in content:
|
||||
return False
|
||||
contentSections = content.split('<')
|
||||
invalidPartials = ()
|
||||
if not allowLocalNetworkAccess:
|
||||
invalidPartials = ('127.0.', '192.168', '10.0.')
|
||||
invalidStrings = ('script', 'canvas', 'style', 'abbr',
|
||||
'frame', 'iframe', 'html', 'body',
|
||||
|
@ -181,7 +183,7 @@ def dangerousMarkup(content: str) -> bool:
|
|||
return False
|
||||
|
||||
|
||||
def dangerousCSS(filename: str) -> bool:
|
||||
def dangerousCSS(filename: str, allowLocalNetworkAccess: bool) -> bool:
|
||||
"""Returns true is the css file contains code which
|
||||
can create security problems
|
||||
"""
|
||||
|
@ -199,7 +201,7 @@ def dangerousCSS(filename: str) -> bool:
|
|||
|
||||
# an attacker can include html inside of the css
|
||||
# file as a comment and this may then be run from the html
|
||||
if dangerousMarkup(content):
|
||||
if dangerousMarkup(content, allowLocalNetworkAccess):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
|
26
daemon.py
26
daemon.py
|
@ -2917,7 +2917,10 @@ class PubServer(BaseHTTPRequestHandler):
|
|||
if nickname == adminNickname:
|
||||
if fields.get('editedAbout'):
|
||||
aboutStr = fields['editedAbout']
|
||||
if not dangerousMarkup(aboutStr):
|
||||
allowLocalNetworkAccess = \
|
||||
self.server.allowLocalNetworkAccess
|
||||
if not dangerousMarkup(aboutStr,
|
||||
allowLocalNetworkAccess):
|
||||
aboutFile = open(aboutFilename, "w+")
|
||||
if aboutFile:
|
||||
aboutFile.write(aboutStr)
|
||||
|
@ -2928,7 +2931,10 @@ class PubServer(BaseHTTPRequestHandler):
|
|||
|
||||
if fields.get('editedTOS'):
|
||||
TOSStr = fields['editedTOS']
|
||||
if not dangerousMarkup(TOSStr):
|
||||
allowLocalNetworkAccess = \
|
||||
self.server.allowLocalNetworkAccess
|
||||
if not dangerousMarkup(TOSStr,
|
||||
allowLocalNetworkAccess):
|
||||
TOSFile = open(TOSFilename, "w+")
|
||||
if TOSFile:
|
||||
TOSFile.write(TOSStr)
|
||||
|
@ -3655,7 +3661,8 @@ class PubServer(BaseHTTPRequestHandler):
|
|||
if fields.get('themeDropdown'):
|
||||
setTheme(baseDir,
|
||||
fields['themeDropdown'],
|
||||
domain)
|
||||
domain.
|
||||
self.server.allowLocalNetworkAccess)
|
||||
self.server.showPublishAsIcon = \
|
||||
getConfigParam(self.server.baseDir,
|
||||
'showPublishAsIcon')
|
||||
|
@ -4014,7 +4021,8 @@ class PubServer(BaseHTTPRequestHandler):
|
|||
'.etag')
|
||||
currTheme = getTheme(baseDir)
|
||||
if currTheme:
|
||||
setTheme(baseDir, currTheme, domain)
|
||||
setTheme(baseDir, currTheme, domain,
|
||||
self.server.allowLocalNetworkAccess)
|
||||
self.server.showPublishAsIcon = \
|
||||
getConfigParam(self.server.baseDir,
|
||||
'showPublishAsIcon')
|
||||
|
@ -12374,7 +12382,8 @@ def loadTokens(baseDir: str, tokensDict: {}, tokensLookup: {}) -> None:
|
|||
tokensLookup[token] = nickname
|
||||
|
||||
|
||||
def runDaemon(maxFeedItemSizeKb: int,
|
||||
def runDaemon(allowLocalNetworkAccess: bool,
|
||||
maxFeedItemSizeKb: int,
|
||||
publishButtonAtTop: bool,
|
||||
rssIconAtTop: bool,
|
||||
iconsAsButtons: bool,
|
||||
|
@ -12439,6 +12448,10 @@ def runDaemon(maxFeedItemSizeKb: int,
|
|||
return False
|
||||
|
||||
httpd.unitTest = unitTest
|
||||
httpd.allowLocalNetworkAccess = allowLocalNetworkAccess
|
||||
if unitTest:
|
||||
# unit tests are run on the local network with LAN addresses
|
||||
httpd.allowLocalNetworkAccess = True
|
||||
httpd.YTReplacementDomain = YTReplacementDomain
|
||||
|
||||
# newswire storing rss feeds
|
||||
|
@ -12702,7 +12715,8 @@ def runDaemon(maxFeedItemSizeKb: int,
|
|||
httpd.YTReplacementDomain,
|
||||
httpd.showPublishedDateOnly,
|
||||
httpd.allowNewsFollowers,
|
||||
httpd.maxFollowers), daemon=True)
|
||||
httpd.maxFollowers,
|
||||
httpd.allowLocalNetworkAccess), daemon=True)
|
||||
|
||||
print('Creating scheduled post thread')
|
||||
httpd.thrPostSchedule = \
|
||||
|
|
12
epicyon.py
12
epicyon.py
|
@ -249,6 +249,13 @@ parser.add_argument("--publishButtonAtTop",
|
|||
const=True, default=False,
|
||||
help="Whether to show the publish button at the top of " +
|
||||
"the newswire column")
|
||||
parser.add_argument("--allowLocalNetworkAccess",
|
||||
dest='allowLocalNetworkAccess',
|
||||
type=str2bool, nargs='?',
|
||||
const=True, default=False,
|
||||
help="Whether to allow access to local network " +
|
||||
"addresses. This might be useful when deploying in " +
|
||||
"a mesh network")
|
||||
parser.add_argument("--noapproval", type=str2bool, nargs='?',
|
||||
const=True, default=False,
|
||||
help="Allow followers without approval")
|
||||
|
@ -2059,11 +2066,12 @@ if YTDomain:
|
|||
if '.' in YTDomain:
|
||||
args.YTReplacementDomain = YTDomain
|
||||
|
||||
if setTheme(baseDir, themeName, domain):
|
||||
if setTheme(baseDir, themeName, domain, args.allowLocalNetworkAccess):
|
||||
print('Theme set to ' + themeName)
|
||||
|
||||
if __name__ == "__main__":
|
||||
runDaemon(args.maxFeedItemSizeKb,
|
||||
runDaemon(args.allowLocalNetworkAccess,
|
||||
args.maxFeedItemSizeKb,
|
||||
args.publishButtonAtTop,
|
||||
args.rssIconAtTop,
|
||||
args.iconsAsButtons,
|
||||
|
|
17
inbox.py
17
inbox.py
|
@ -1565,7 +1565,8 @@ def estimateNumberOfEmoji(content: str) -> int:
|
|||
|
||||
|
||||
def validPostContent(baseDir: str, nickname: str, domain: str,
|
||||
messageJson: {}, maxMentions: int, maxEmoji: int) -> bool:
|
||||
messageJson: {}, maxMentions: int, maxEmoji: int,
|
||||
allowLocalNetworkAccess: bool) -> bool:
|
||||
"""Is the content of a received post valid?
|
||||
Check for bad html
|
||||
Check for hellthreads
|
||||
|
@ -1600,7 +1601,8 @@ def validPostContent(baseDir: str, nickname: str, domain: str,
|
|||
messageJson['object']['content']):
|
||||
return True
|
||||
|
||||
if dangerousMarkup(messageJson['object']['content']):
|
||||
if dangerousMarkup(messageJson['object']['content'],
|
||||
allowLocalNetworkAccess):
|
||||
if messageJson['object'].get('id'):
|
||||
print('REJECT ARBITRARY HTML: ' + messageJson['object']['id'])
|
||||
print('REJECT ARBITRARY HTML: bad string in post - ' +
|
||||
|
@ -2030,7 +2032,8 @@ def inboxAfterInitial(recentPostsCache: {}, maxRecentPosts: int,
|
|||
maxReplies: int, allowDeletion: bool,
|
||||
maxMentions: int, maxEmoji: int, translate: {},
|
||||
unitTest: bool, YTReplacementDomain: str,
|
||||
showPublishedDateOnly: bool) -> bool:
|
||||
showPublishedDateOnly: bool,
|
||||
allowLocalNetworkAccess: bool) -> bool:
|
||||
""" Anything which needs to be done after initial checks have passed
|
||||
"""
|
||||
actor = keyId
|
||||
|
@ -2155,7 +2158,8 @@ def inboxAfterInitial(recentPostsCache: {}, maxRecentPosts: int,
|
|||
|
||||
nickname = handle.split('@')[0]
|
||||
if validPostContent(baseDir, nickname, domain,
|
||||
postJsonObject, maxMentions, maxEmoji):
|
||||
postJsonObject, maxMentions, maxEmoji,
|
||||
allowLocalNetworkAccess):
|
||||
|
||||
if postJsonObject.get('object'):
|
||||
jsonObj = postJsonObject['object']
|
||||
|
@ -2438,7 +2442,7 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
|||
YTReplacementDomain: str,
|
||||
showPublishedDateOnly: bool,
|
||||
allowNewsFollowers: bool,
|
||||
maxFollowers: int) -> None:
|
||||
maxFollowers: int, allowLocalNetworkAccess: bool) -> None:
|
||||
"""Processes received items and moves them to the appropriate
|
||||
directories
|
||||
"""
|
||||
|
@ -2853,7 +2857,8 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
|||
maxMentions, maxEmoji,
|
||||
translate, unitTest,
|
||||
YTReplacementDomain,
|
||||
showPublishedDateOnly)
|
||||
showPublishedDateOnly,
|
||||
allowLocalNetworkAccess)
|
||||
if debug:
|
||||
pprint(queueJson['post'])
|
||||
|
||||
|
|
|
@ -469,7 +469,8 @@ def convertRSStoActivityPub(baseDir: str, httpPrefix: str,
|
|||
personCache: {},
|
||||
federationList: [],
|
||||
sendThreads: [], postLog: [],
|
||||
maxMirroredArticles: int) -> None:
|
||||
maxMirroredArticles: int,
|
||||
allowLocalNetworkAccess: bool) -> None:
|
||||
"""Converts rss items in a newswire into posts
|
||||
"""
|
||||
if not newswire:
|
||||
|
@ -512,7 +513,8 @@ def convertRSStoActivityPub(baseDir: str, httpPrefix: str,
|
|||
|
||||
rssTitle = removeControlCharacters(item[0])
|
||||
url = item[1]
|
||||
if dangerousMarkup(url) or dangerousMarkup(rssTitle):
|
||||
if dangerousMarkup(url, allowLocalNetworkAccess) or \
|
||||
dangerousMarkup(rssTitle, allowLocalNetworkAccess):
|
||||
continue
|
||||
rssDescription = ''
|
||||
|
||||
|
@ -537,7 +539,8 @@ def convertRSStoActivityPub(baseDir: str, httpPrefix: str,
|
|||
postUrl += '/index.html'
|
||||
|
||||
# add the off-site link to the description
|
||||
if rssDescription and not dangerousMarkup(rssDescription):
|
||||
if rssDescription and \
|
||||
not dangerousMarkup(rssDescription, allowLocalNetworkAccess):
|
||||
rssDescription += \
|
||||
'<br><a href="' + postUrl + '">' + \
|
||||
translate['Read more...'] + '</a>'
|
||||
|
@ -743,7 +746,8 @@ def runNewswireDaemon(baseDir: str, httpd,
|
|||
httpd.federationList,
|
||||
httpd.sendThreads,
|
||||
httpd.postLog,
|
||||
httpd.maxMirroredArticles)
|
||||
httpd.maxMirroredArticles,
|
||||
httpd.allowLocalNetworkAccess)
|
||||
print('Newswire feed converted to ActivityPub')
|
||||
|
||||
if httpd.maxNewsPosts > 0:
|
||||
|
|
39
tests.py
39
tests.py
|
@ -291,8 +291,10 @@ def createServerAlice(path: str, domain: str, port: int,
|
|||
maxEmoji = 10
|
||||
onionDomain = None
|
||||
i2pDomain = None
|
||||
allowLocalNetworkAccess = True
|
||||
print('Server running: Alice')
|
||||
runDaemon(2048, False, True, False, False, True, 10, False,
|
||||
runDaemon(allowLocalNetworkAccess,
|
||||
2048, False, True, False, False, True, 10, False,
|
||||
0, 100, 1024, 5, False,
|
||||
0, False, 1, False, False, False,
|
||||
5, True, True, 'en', __version__,
|
||||
|
@ -356,8 +358,10 @@ def createServerBob(path: str, domain: str, port: int,
|
|||
maxEmoji = 10
|
||||
onionDomain = None
|
||||
i2pDomain = None
|
||||
allowLocalNetworkAccess = True
|
||||
print('Server running: Bob')
|
||||
runDaemon(2048, False, True, False, False, True, 10, False,
|
||||
runDaemon(allowLocalNetworkAccess,
|
||||
2048, False, True, False, False, True, 10, False,
|
||||
0, 100, 1024, 5, False, 0,
|
||||
False, 1, False, False, False,
|
||||
5, True, True, 'en', __version__,
|
||||
|
@ -395,8 +399,10 @@ def createServerEve(path: str, domain: str, port: int, federationList: [],
|
|||
maxEmoji = 10
|
||||
onionDomain = None
|
||||
i2pDomain = None
|
||||
allowLocalNetworkAccess = True
|
||||
print('Server running: Eve')
|
||||
runDaemon(2048, False, True, False, False, True, 10, False,
|
||||
runDaemon(allowLocalNetworkAccess,
|
||||
2048, False, True, False, False, True, 10, False,
|
||||
0, 100, 1024, 5, False, 0,
|
||||
False, 1, False, False, False,
|
||||
5, True, True, 'en', __version__,
|
||||
|
@ -1941,58 +1947,59 @@ def testRemoveHtml():
|
|||
|
||||
def testDangerousMarkup():
|
||||
print('testDangerousMarkup')
|
||||
allowLocalNetworkAccess = False
|
||||
content = '<p>This is a valid message</p>'
|
||||
assert(not dangerousMarkup(content))
|
||||
assert(not dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = 'This is a valid message without markup'
|
||||
assert(not dangerousMarkup(content))
|
||||
assert(not dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This is a valid-looking message. But wait... ' + \
|
||||
'<script>document.getElementById("concentrated")' + \
|
||||
'.innerHTML = "evil";</script></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This html contains more than you expected... ' + \
|
||||
'<script language="javascript">document.getElementById("abc")' + \
|
||||
'.innerHTML = "def";</script></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This is a valid-looking message. But wait... ' + \
|
||||
'<script src="https://evilsite/payload.js" /></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message embeds an evil frame.' + \
|
||||
'<iframe src="somesite"></iframe></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message tries to obfuscate an evil frame.' + \
|
||||
'< iframe src = "somesite"></ iframe ></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message is not necessarily evil, but annoying.' + \
|
||||
'<hr><br><br><br><br><br><br><br><hr><hr></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message contans a ' + \
|
||||
'<a href="https://validsite/index.html">valid link.</a></p>'
|
||||
assert(not dangerousMarkup(content))
|
||||
assert(not dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message contans a ' + \
|
||||
'<a href="https://validsite/iframe.html">' + \
|
||||
'valid link having invalid but harmless name.</a></p>'
|
||||
assert(not dangerousMarkup(content))
|
||||
assert(not dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message which <a href="127.0.0.1:8736">' + \
|
||||
'tries to access the local network</a></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>This message which <a href="http://192.168.5.10:7235">' + \
|
||||
'tries to access the local network</a></p>'
|
||||
assert(dangerousMarkup(content))
|
||||
assert(dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
content = '<p>127.0.0.1 This message which does not access ' + \
|
||||
'the local network</a></p>'
|
||||
assert(not dangerousMarkup(content))
|
||||
assert(not dangerousMarkup(content, allowLocalNetworkAccess))
|
||||
|
||||
|
||||
def runHtmlReplaceQuoteMarks():
|
||||
|
|
30
theme.py
30
theme.py
|
@ -183,7 +183,8 @@ def setCSSparam(css: str, param: str, value: str) -> str:
|
|||
|
||||
|
||||
def setThemeFromDict(baseDir: str, name: str,
|
||||
themeParams: {}, bgParams: {}) -> None:
|
||||
themeParams: {}, bgParams: {},
|
||||
allowLocalNetworkAccess: bool) -> None:
|
||||
"""Uses a dictionary to set a theme
|
||||
"""
|
||||
if name:
|
||||
|
@ -198,7 +199,7 @@ def setThemeFromDict(baseDir: str, name: str,
|
|||
|
||||
# Ensure that any custom CSS is mostly harmless.
|
||||
# If not then just use the defaults
|
||||
if dangerousCSS(templateFilename) or \
|
||||
if dangerousCSS(templateFilename, allowLocalNetworkAccess) or \
|
||||
not os.path.isfile(templateFilename):
|
||||
# use default css
|
||||
templateFilename = baseDir + '/epicyon-' + filename
|
||||
|
@ -355,7 +356,8 @@ def setCustomFont(baseDir: str):
|
|||
|
||||
|
||||
def readVariablesFile(baseDir: str, themeName: str,
|
||||
variablesFile: str) -> None:
|
||||
variablesFile: str,
|
||||
allowLocalNetworkAccess: bool) -> None:
|
||||
"""Reads variables from a file in the theme directory
|
||||
"""
|
||||
themeParams = loadJson(variablesFile, 0)
|
||||
|
@ -367,10 +369,11 @@ def readVariablesFile(baseDir: str, themeName: str,
|
|||
"options": "jpg",
|
||||
"search": "jpg"
|
||||
}
|
||||
setThemeFromDict(baseDir, themeName, themeParams, bgParams)
|
||||
setThemeFromDict(baseDir, themeName, themeParams, bgParams,
|
||||
allowLocalNetworkAccess)
|
||||
|
||||
|
||||
def setThemeDefault(baseDir: str):
|
||||
def setThemeDefault(baseDir: str, allowLocalNetworkAccess: bool):
|
||||
name = 'default'
|
||||
removeTheme(baseDir)
|
||||
setThemeInConfig(baseDir, name)
|
||||
|
@ -390,10 +393,11 @@ def setThemeDefault(baseDir: str):
|
|||
"banner-height-mobile": "10vh",
|
||||
"search-banner-height-mobile": "15vh"
|
||||
}
|
||||
setThemeFromDict(baseDir, name, themeParams, bgParams)
|
||||
setThemeFromDict(baseDir, name, themeParams, bgParams,
|
||||
allowLocalNetworkAccess)
|
||||
|
||||
|
||||
def setThemeHighVis(baseDir: str):
|
||||
def setThemeHighVis(baseDir: str, allowLocalNetworkAccess: bool):
|
||||
name = 'highvis'
|
||||
themeParams = {
|
||||
"newswire-publish-icon": True,
|
||||
|
@ -422,7 +426,8 @@ def setThemeHighVis(baseDir: str):
|
|||
"options": "jpg",
|
||||
"search": "jpg"
|
||||
}
|
||||
setThemeFromDict(baseDir, name, themeParams, bgParams)
|
||||
setThemeFromDict(baseDir, name, themeParams, bgParams,
|
||||
allowLocalNetworkAccess)
|
||||
|
||||
|
||||
def setThemeFonts(baseDir: str, themeName: str) -> None:
|
||||
|
@ -578,7 +583,8 @@ def setNewsAvatar(baseDir: str, name: str,
|
|||
nickname + '@' + domain + '/avatar.png')
|
||||
|
||||
|
||||
def setTheme(baseDir: str, name: str, domain: str) -> bool:
|
||||
def setTheme(baseDir: str, name: str, domain: str,
|
||||
allowLocalNetworkAccess: bool) -> bool:
|
||||
result = False
|
||||
|
||||
prevThemeName = getTheme(baseDir)
|
||||
|
@ -589,7 +595,8 @@ def setTheme(baseDir: str, name: str, domain: str) -> bool:
|
|||
themeNameLower = themeName.lower()
|
||||
if name == themeNameLower:
|
||||
try:
|
||||
globals()['setTheme' + themeName](baseDir)
|
||||
globals()['setTheme' + themeName](baseDir,
|
||||
allowLocalNetworkAccess)
|
||||
except BaseException:
|
||||
pass
|
||||
|
||||
|
@ -608,7 +615,8 @@ def setTheme(baseDir: str, name: str, domain: str) -> bool:
|
|||
|
||||
variablesFile = baseDir + '/theme/' + name + '/theme.json'
|
||||
if os.path.isfile(variablesFile):
|
||||
readVariablesFile(baseDir, name, variablesFile)
|
||||
readVariablesFile(baseDir, name, variablesFile,
|
||||
allowLocalNetworkAccess)
|
||||
|
||||
setCustomFont(baseDir)
|
||||
|
||||
|
|
Loading…
Reference in New Issue