forked from indymedia/epicyon
Prevent sending content with dangerous markup via the outbox
parent
5335a3513c
commit
92c555d732
|
@ -995,7 +995,8 @@ class PubServer(BaseHTTPRequestHandler):
|
||||||
self.server.proxyType, version,
|
self.server.proxyType, version,
|
||||||
self.server.debug,
|
self.server.debug,
|
||||||
self.server.YTReplacementDomain,
|
self.server.YTReplacementDomain,
|
||||||
self.server.showPublishedDateOnly)
|
self.server.showPublishedDateOnly,
|
||||||
|
self.server.allowLocalNetworkAccess)
|
||||||
|
|
||||||
def _postToOutboxThread(self, messageJson: {}) -> bool:
|
def _postToOutboxThread(self, messageJson: {}) -> bool:
|
||||||
"""Creates a thread to send a post
|
"""Creates a thread to send a post
|
||||||
|
|
16
outbox.py
16
outbox.py
|
@ -35,6 +35,7 @@ from bookmarks import outboxUndoBookmark
|
||||||
from delete import outboxDelete
|
from delete import outboxDelete
|
||||||
from shares import outboxShareUpload
|
from shares import outboxShareUpload
|
||||||
from shares import outboxUndoShareUpload
|
from shares import outboxUndoShareUpload
|
||||||
|
from content import dangerousMarkup
|
||||||
|
|
||||||
|
|
||||||
def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
||||||
|
@ -47,7 +48,8 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
||||||
personCache: {}, allowDeletion: bool,
|
personCache: {}, allowDeletion: bool,
|
||||||
proxyType: str, version: str, debug: bool,
|
proxyType: str, version: str, debug: bool,
|
||||||
YTReplacementDomain: str,
|
YTReplacementDomain: str,
|
||||||
showPublishedDateOnly: bool) -> bool:
|
showPublishedDateOnly: bool,
|
||||||
|
allowLocalNetworkAccess: bool) -> bool:
|
||||||
"""post is received by the outbox
|
"""post is received by the outbox
|
||||||
Client to server message post
|
Client to server message post
|
||||||
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
|
https://www.w3.org/TR/activitypub/#client-to-server-outbox-delivery
|
||||||
|
@ -66,6 +68,18 @@ def postMessageToOutbox(messageJson: {}, postToNickname: str,
|
||||||
postToNickname,
|
postToNickname,
|
||||||
domain, port,
|
domain, port,
|
||||||
messageJson)
|
messageJson)
|
||||||
|
|
||||||
|
# check that the outgoing post doesn't contain any markup
|
||||||
|
# which can be used to implement exploits
|
||||||
|
if messageJson.get('object'):
|
||||||
|
if isinstance(messageJson['object'], dict):
|
||||||
|
if messageJson['object'].get('content'):
|
||||||
|
if dangerousMarkup(messageJson['object']['content'],
|
||||||
|
allowLocalNetworkAccess):
|
||||||
|
print('POST to outbox contains dangerous markup: ' +
|
||||||
|
str(messageJson))
|
||||||
|
return False
|
||||||
|
|
||||||
if messageJson['type'] == 'Create':
|
if messageJson['type'] == 'Create':
|
||||||
if not (messageJson.get('id') and
|
if not (messageJson.get('id') and
|
||||||
messageJson.get('type') and
|
messageJson.get('type') and
|
||||||
|
|
Loading…
Reference in New Issue