indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Prevent sending content with dangerous markup via the outbox

merge-requests/8/head
Bob Mottram 2020-12-11 10:46:47 +00:00
parent 5335a3513c
commit 92c555d732
2 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
daemon.py
View File

@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
self.server.proxyType, version, self.server.proxyType, version,
self.server.debug, self.server.debug,
self.server.YTReplacementDomain, self.server.YTReplacementDomain,
self.server.showPublishedDateOnly) self.server.showPublishedDateOnly,
self.server.allowLocalNetworkAccess)
def _postToOutboxThread(self, messageJson: {}) -> bool: def _postToOutboxThread(self, messageJson: {}) -> bool:
"""Creates a thread to send a post """Creates a thread to send a post

16
outbox.py
View File

@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
from delete import outboxDelete from delete import outboxDelete
from shares import outboxShareUpload from shares import outboxShareUpload
from shares import outboxUndoShareUpload from shares import outboxUndoShareUpload
from content import dangerousMarkup
def postMessageToOutbox(messageJson: {}, postToNickname: str, def postMessageToOutbox(messageJson: {}, postToNickname: str,
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
personCache: {}, allowDeletion: bool, personCache: {}, allowDeletion: bool,
proxyType: str, version: str, debug: bool, proxyType: str, version: str, debug: bool,
YTReplacementDomain: str, YTReplacementDomain: str,
showPublishedDateOnly: bool) -> bool: showPublishedDateOnly: bool,
allowLocalNetworkAccess: bool) -> bool:
"""post is received by the outbox """post is received by the outbox
Client to server message post Client to server message post
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
postToNickname, postToNickname,
domain, port, domain, port,
messageJson) messageJson)
# check that the outgoing post doesn't contain any markup
# which can be used to implement exploits
if messageJson.get('object'):
if isinstance(messageJson['object'], dict):
if messageJson['object'].get('content'):
if dangerousMarkup(messageJson['object']['content'],
allowLocalNetworkAccess):
print('POST to outbox contains dangerous markup: ' +
str(messageJson))
return False
if messageJson['type'] == 'Create': if messageJson['type'] == 'Create':
if not (messageJson.get('id') and if not (messageJson.get('id') and
messageJson.get('type') and messageJson.get('type') and