Prevent sending content with dangerous markup via the outbox

main
Bob Mottram 2020-12-11 10:46:47 +00:00
parent 5335a3513c
commit 92c555d732
2 changed files with 17 additions and 2 deletions

View File

@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
self.server.proxyType, version,
self.server.debug,
self.server.YTReplacementDomain,
self.server.showPublishedDateOnly)
self.server.showPublishedDateOnly,
self.server.allowLocalNetworkAccess)
def _postToOutboxThread(self, messageJson: {}) -> bool:
"""Creates a thread to send a post

View File

@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
from delete import outboxDelete
from shares import outboxShareUpload
from shares import outboxUndoShareUpload
from content import dangerousMarkup
def postMessageToOutbox(messageJson: {}, postToNickname: str,
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
personCache: {}, allowDeletion: bool,
proxyType: str, version: str, debug: bool,
YTReplacementDomain: str,
showPublishedDateOnly: bool) -> bool:
showPublishedDateOnly: bool,
allowLocalNetworkAccess: bool) -> bool:
"""post is received by the outbox
Client to server message post
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
postToNickname,
domain, port,
messageJson)
# check that the outgoing post doesn't contain any markup
# which can be used to implement exploits
if messageJson.get('object'):
if isinstance(messageJson['object'], dict):
if messageJson['object'].get('content'):
if dangerousMarkup(messageJson['object']['content'],
allowLocalNetworkAccess):
print('POST to outbox contains dangerous markup: ' +
str(messageJson))
return False
if messageJson['type'] == 'Create':
if not (messageJson.get('id') and
messageJson.get('type') and