From cadd0de15c8d278c9e3285a85b70ac9138476a85 Mon Sep 17 00:00:00 2001
From: Bob Mottram
Date: Wed, 11 Nov 2020 09:42:48 +0000
Subject: [PATCH] Don't allow local network access
---
content.py | 4 ++++
tests.py | 20 ++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/content.py b/content.py
index 95181a865..532668ffe 100644
--- a/content.py
+++ b/content.py
@@ -159,6 +159,7 @@ def dangerousMarkup(content: str) -> bool:
if '>' not in content:
return False
contentSections = content.split('<')
+ invalidPartials = ('127.0.', '192.168', '10.0.')
invalidStrings = ('script', 'canvas', 'style', 'abbr',
'frame', 'iframe', 'html', 'body',
'hr')
@@ -166,6 +167,9 @@ def dangerousMarkup(content: str) -> bool:
if '>' not in markup:
continue
markup = markup.split('>')[0].strip()
+ for partialMatch in invalidPartials:
+ if partialMatch in markup:
+ return True
if ' ' not in markup:
for badStr in invalidStrings:
if badStr in markup:
diff --git a/tests.py b/tests.py
index f835378c0..0431387a0 100644
--- a/tests.py
+++ b/tests.py
@@ -1943,32 +1943,52 @@ def testDangerousMarkup():
print('testDangerousMarkup')
content = 'This is a valid message
'
assert(not dangerousMarkup(content))
+
content = 'This is a valid message without markup'
assert(not dangerousMarkup(content))
+
content = 'This is a valid-looking message. But wait... ' + \
'
'
assert(dangerousMarkup(content))
+
content = 'This is a valid-looking message. But wait... ' + \
'
'
assert(dangerousMarkup(content))
+
content = 'This message embeds an evil frame.' + \
'
'
assert(dangerousMarkup(content))
+
content = 'This message tries to obfuscate an evil frame.' + \
'< iframe src = "somesite"> iframe >
'
assert(dangerousMarkup(content))
+
content = 'This message is not necessarily evil, but annoying.' + \
'
'
assert(dangerousMarkup(content))
+
content = 'This message contans a ' + \
'valid link.
'
assert(not dangerousMarkup(content))
+
content = 'This message contans a ' + \
'' + \
'valid link having invalid but harmless name.
'
assert(not dangerousMarkup(content))
+ content = 'This message which ' + \
+ 'tries to access the local network
'
+ assert(dangerousMarkup(content))
+
+ content = 'This message which ' + \
+ 'tries to access the local network
'
+ assert(dangerousMarkup(content))
+
+ content = '127.0.0.1 This message which does not access ' + \
+ 'the local network
'
+ assert(not dangerousMarkup(content))
+
def runHtmlReplaceQuoteMarks():
print('htmlReplaceQuoteMarks')