Prevent sending content with dangerous markup via the outbox

main
Bob Mottram 2020-12-11 10:46:47 +00:00
parent 5335a3513c
commit 92c555d732
2 changed files with 17 additions and 2 deletions

View File

@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
self.server.proxyType, version, self.server.proxyType, version,
self.server.debug, self.server.debug,
self.server.YTReplacementDomain, self.server.YTReplacementDomain,
self.server.showPublishedDateOnly) self.server.showPublishedDateOnly,
self.server.allowLocalNetworkAccess)
def _postToOutboxThread(self, messageJson: {}) -> bool: def _postToOutboxThread(self, messageJson: {}) -> bool:
"""Creates a thread to send a post """Creates a thread to send a post

View File

@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
from delete import outboxDelete from delete import outboxDelete
from shares import outboxShareUpload from shares import outboxShareUpload
from shares import outboxUndoShareUpload from shares import outboxUndoShareUpload
from content import dangerousMarkup
def postMessageToOutbox(messageJson: {}, postToNickname: str, def postMessageToOutbox(messageJson: {}, postToNickname: str,
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
personCache: {}, allowDeletion: bool, personCache: {}, allowDeletion: bool,
proxyType: str, version: str, debug: bool, proxyType: str, version: str, debug: bool,
YTReplacementDomain: str, YTReplacementDomain: str,
showPublishedDateOnly: bool) -> bool: showPublishedDateOnly: bool,
allowLocalNetworkAccess: bool) -> bool:
"""post is received by the outbox """post is received by the outbox
Client to server message post Client to server message post
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
postToNickname, postToNickname,
domain, port, domain, port,
messageJson) messageJson)
# check that the outgoing post doesn't contain any markup
# which can be used to implement exploits
if messageJson.get('object'):
if isinstance(messageJson['object'], dict):
if messageJson['object'].get('content'):
if dangerousMarkup(messageJson['object']['content'],
allowLocalNetworkAccess):
print('POST to outbox contains dangerous markup: ' +
str(messageJson))
return False
if messageJson['type'] == 'Create': if messageJson['type'] == 'Create':
if not (messageJson.get('id') and if not (messageJson.get('id') and
messageJson.get('type') and messageJson.get('type') and