From a7972ffba0aa283b1b84cb10d1cd4f4eea96487c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 15 Nov 2020 10:33:11 +0000 Subject: [PATCH] Check for dangerous css --- theme.py | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/theme.py b/theme.py index d04b0f571..b62ed54bc 100644 --- a/theme.py +++ b/theme.py @@ -12,6 +12,23 @@ from utils import saveJson from shutil import copyfile +def dangerousCSS(filename: str) -> bool: + """Returns true is the css file contains code which + can create security problems + """ + if not os.path.isfile(filename): + return False + + with open(filename, 'r') as fp: + css = fp.read() + + cssMatches = ('behavior') + for match in cssMatches: + if match in css: + return True + return False + + def getThemeFiles() -> []: return ('epicyon.css', 'login.css', 'follow.css', 'suspended.css', 'calendar.css', 'blog.css', @@ -186,7 +203,8 @@ def setThemeFromDict(baseDir: str, name: str, templateFilename = \ baseDir + '/theme/' + name + '/epicyon-profile.css' - if not os.path.isfile(templateFilename): + if dangerousCSS(templateFilename) or \ + not os.path.isfile(templateFilename): # use default css templateFilename = baseDir + '/epicyon-' + filename if filename == 'epicyon.css':