code review for #3331: increase restrictions

Only resources from within current directory will be allowed,
everything else will be silently rejected.
For example, this will forbid pulling lists from different repos
on GitHub, despite the lists being same origin.
This commit is contained in:
Raymond Hill 2017-12-30 11:05:15 -05:00
parent 6ab34efe44
commit f7c02e237f
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2
1 changed files with 14 additions and 14 deletions

View File

@ -190,22 +190,22 @@ api.fetchFilterList = function(mainlistURL, onLoad, onError) {
if ( isSublist ) { content.push('\n! ' + '>>>>>>>> ' + details.url); }
content.push(details.content.trim());
if ( isSublist ) { content.push('! <<<<<<<< ' + details.url); }
if ( parsedMainURL !== undefined ) {
if (
parsedMainURL !== undefined &&
parsedMainURL.pathname.length > 0
) {
var reInclude = /^!#include +(\S+)/gm,
match, subURL;
for (;;) {
match = reInclude.exec(details.content);
while ( match !== null ) {
var parsedSubURL = toParsedURL(match[1]);
if ( parsedSubURL === undefined ) {
parsedSubURL = toParsedURL(
parsedMainURL.href.replace(/[^/?]+(?:\?.*)?$/, match[1])
);
if ( parsedSubURL === undefined ) { continue; }
}
if ( parsedSubURL.origin !== parsedMainURL.origin ) { continue; }
if ( loadedSublistURLs.has(parsedSubURL.href) ) { continue; }
pendingSublistURLs.add(parsedSubURL.href);
match = reInclude.exec(details.content);
if ( match === null ) { break; }
if ( toParsedURL(match[1]) !== undefined ) { continue; }
if ( match[1].indexOf('..') !== -1 ) { continue; }
subURL =
parsedMainURL.origin +
parsedMainURL.pathname.replace(/[^/]+$/, match[1]);
if ( loadedSublistURLs.has(subURL) ) { continue; }
pendingSublistURLs.add(subURL);
}
}