diff --git a/daemon.py b/daemon.py index 10e368d97..0003d6fc7 100644 --- a/daemon.py +++ b/daemon.py @@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler): self.server.proxyType, version, self.server.debug, self.server.YTReplacementDomain, - self.server.showPublishedDateOnly) + self.server.showPublishedDateOnly, + self.server.allowLocalNetworkAccess) def _postToOutboxThread(self, messageJson: {}) -> bool: """Creates a thread to send a post diff --git a/outbox.py b/outbox.py index 93d5c5cb9..141745bb1 100644 --- a/outbox.py +++ b/outbox.py @@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark from delete import outboxDelete from shares import outboxShareUpload from shares import outboxUndoShareUpload +from content import dangerousMarkup def postMessageToOutbox(messageJson: {}, postToNickname: str, @@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str, personCache: {}, allowDeletion: bool, proxyType: str, version: str, debug: bool, YTReplacementDomain: str, - showPublishedDateOnly: bool) -> bool: + showPublishedDateOnly: bool, + allowLocalNetworkAccess: bool) -> bool: """post is received by the outbox Client to server message post https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery @@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str, postToNickname, domain, port, messageJson) + + # check that the outgoing post doesn't contain any markup + # which can be used to implement exploits + if messageJson.get('object'): + if isinstance(messageJson['object'], dict): + if messageJson['object'].get('content'): + if dangerousMarkup(messageJson['object']['content'], + allowLocalNetworkAccess): + print('POST to outbox contains dangerous markup: ' + + str(messageJson)) + return False + if messageJson['type'] == 'Create': if not (messageJson.get('id') and messageJson.get('type') and