From cadd0de15c8d278c9e3285a85b70ac9138476a85 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 11 Nov 2020 09:42:48 +0000 Subject: [PATCH] Don't allow local network access --- content.py | 4 ++++ tests.py | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/content.py b/content.py index 95181a865..532668ffe 100644 --- a/content.py +++ b/content.py @@ -159,6 +159,7 @@ def dangerousMarkup(content: str) -> bool: if '>' not in content: return False contentSections = content.split('<') + invalidPartials = ('127.0.', '192.168', '10.0.') invalidStrings = ('script', 'canvas', 'style', 'abbr', 'frame', 'iframe', 'html', 'body', 'hr') @@ -166,6 +167,9 @@ def dangerousMarkup(content: str) -> bool: if '>' not in markup: continue markup = markup.split('>')[0].strip() + for partialMatch in invalidPartials: + if partialMatch in markup: + return True if ' ' not in markup: for badStr in invalidStrings: if badStr in markup: diff --git a/tests.py b/tests.py index f835378c0..0431387a0 100644 --- a/tests.py +++ b/tests.py @@ -1943,32 +1943,52 @@ def testDangerousMarkup(): print('testDangerousMarkup') content = '

This is a valid message

' assert(not dangerousMarkup(content)) + content = 'This is a valid message without markup' assert(not dangerousMarkup(content)) + content = '

This is a valid-looking message. But wait... ' + \ '

' assert(dangerousMarkup(content)) + content = '

This is a valid-looking message. But wait... ' + \ '