From f7c02e237f7e3a76b985c95f5deafe3df11172d3 Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Sat, 30 Dec 2017 11:05:15 -0500 Subject: [PATCH] code review for #3331: increase restrictions Only resources from within current directory will be allowed, everything else will be silently rejected. For example, this will forbid pulling lists from different repos on GitHub, despite the lists being same origin. --- src/js/assets.js | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/js/assets.js b/src/js/assets.js index 845ef68b4..07255364f 100644 --- a/src/js/assets.js +++ b/src/js/assets.js @@ -190,22 +190,22 @@ api.fetchFilterList = function(mainlistURL, onLoad, onError) { if ( isSublist ) { content.push('\n! ' + '>>>>>>>> ' + details.url); } content.push(details.content.trim()); if ( isSublist ) { content.push('! <<<<<<<< ' + details.url); } - - if ( parsedMainURL !== undefined ) { + if ( + parsedMainURL !== undefined && + parsedMainURL.pathname.length > 0 + ) { var reInclude = /^!#include +(\S+)/gm, + match, subURL; + for (;;) { match = reInclude.exec(details.content); - while ( match !== null ) { - var parsedSubURL = toParsedURL(match[1]); - if ( parsedSubURL === undefined ) { - parsedSubURL = toParsedURL( - parsedMainURL.href.replace(/[^/?]+(?:\?.*)?$/, match[1]) - ); - if ( parsedSubURL === undefined ) { continue; } - } - if ( parsedSubURL.origin !== parsedMainURL.origin ) { continue; } - if ( loadedSublistURLs.has(parsedSubURL.href) ) { continue; } - pendingSublistURLs.add(parsedSubURL.href); - match = reInclude.exec(details.content); + if ( match === null ) { break; } + if ( toParsedURL(match[1]) !== undefined ) { continue; } + if ( match[1].indexOf('..') !== -1 ) { continue; } + subURL = + parsedMainURL.origin + + parsedMainURL.pathname.replace(/[^/]+$/, match[1]); + if ( loadedSublistURLs.has(subURL) ) { continue; } + pendingSublistURLs.add(subURL); } }