From cc07e4e43df2597a1db37dad25a2fca3f246b870 Mon Sep 17 00:00:00 2001 From: john Date: Mon, 16 Apr 2007 20:08:24 +0000 Subject: [PATCH] kill web bugs! --- .../basic/MirBasicProducerAssistantLocalizer.java | 33 +++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/source/mircoders/localizer/basic/MirBasicProducerAssistantLocalizer.java b/source/mircoders/localizer/basic/MirBasicProducerAssistantLocalizer.java index c13397bd..9fbaa048 100755 --- a/source/mircoders/localizer/basic/MirBasicProducerAssistantLocalizer.java +++ b/source/mircoders/localizer/basic/MirBasicProducerAssistantLocalizer.java @@ -350,6 +350,37 @@ public class MirBasicProducerAssistantLocalizer implements MirProducerAssistantL return false; } + private boolean checkAttrInContext(String nodeName,String attrName,String attrValue){ + /* The intent here is to prevent external content from being loaded by the user's browser. + It's extra paranoid, so will strip some legitimate stuff like an alt="http://www.indymedia.org" + */ + if (! MirGlobal.config().getBoolean("Localizer.HTML.KillWebBugs")) { + return true; + } + else { + if ((nodeName.toLowerCase()).equals("a") && (attrName.toLowerCase()).equals("href") || (nodeName.toLowerCase()).equals("form") && (attrName.toLowerCase()).equals("action")){ + return true; //because we still love the web, even if it doesn't return the favor + } + else { + List externalPrefixes = StringRoutines.splitString(MirGlobal.config().getString("Localizer.HTML.ExternalLocationAttributeValuePrefixes"), ";"); + List whitelist = StringRoutines.splitString(MirGlobal.config().getString("Localizer.HTML.WhitelistedExternalLocationAttributeValuePrefixes"), ";"); + Iterator i = externalPrefixes.iterator(); + while (i.hasNext()) { + if ((stripWhitespace(attrValue.toLowerCase())).startsWith(((String) i.next()).toLowerCase())) { + // we have hit a bad prefix, but we need to check the whitelist + Iterator wl=whitelist.iterator(); + while (wl.hasNext()){ + if ((stripWhitespace(attrValue.toLowerCase())).startsWith(((String) wl.next()).toLowerCase())) { + return true; //say, for example, something on a trusted server + } + } + return false; //don't let this attribute through + } + } + return true; //didn't seem to be an external prefix, so it's fine + } + } + } private void print(Node node, StringWriter out) throws IOException { if (node == null) { return; @@ -379,7 +410,7 @@ public class MirBasicProducerAssistantLocalizer implements MirProducerAssistantL attrValue=regularExpressionLeadingSlashes.substitute(attrValue, "/"); } - if (checkAttr(attrName) && checkAttrValue(attrValue)) { + if (checkAttr(attrName) && checkAttrValue(attrValue) && checkAttrInContext(node.getNodeName(),attrName,attrValue)) { out.write(' '); out.write(attrs.item(i).getNodeName()); out.write("=\""); -- 2.11.0