mirror
/
changedetection.io
kopia lustrzana https://github.com/dgtlmoon/changedetection.io
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

CVE-2024-51483 - Fix for limiting access to file:// via source:file:///tmp/file.txt when using webdriver/playwright

pull/2757/head
dgtlmoon 2024-10-31 22:48:40 +01:00
rodzic 942625e1fb
commit 26d3a23e05
2 zmienionych plików z 8 dodań i 4 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

4
changedetectionio/model/Watch.py
Wyświetl plik

@ -89,6 +89,10 @@ class model(watch_base):
if ready_url.startswith('source:'): if ready_url.startswith('source:'):
ready_url=ready_url.replace('source:', '') ready_url=ready_url.replace('source:', '')
# Also double check it after any Jinja2 formatting just incase
if not is_safe_url(ready_url):
return 'DISABLED'
return ready_url return ready_url
def clear_watch(self): def clear_watch(self):

8
changedetectionio/processors/__init__.py
Wyświetl plik

@ -31,15 +31,15 @@ class difference_detection_processor():
from requests.structures import CaseInsensitiveDict from requests.structures import CaseInsensitiveDict
# Protect against file:// access url = self.watch.link
if re.search(r'^file://', self.watch.get('url', '').strip(), re.IGNORECASE):
# Protect against file:// access, check the real "link" without any meta "source:" etc prepended.
if re.search(r'^file://', url, re.IGNORECASE):
if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')): if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
raise Exception( raise Exception(
"file:// type access is denied for security reasons." "file:// type access is denied for security reasons."
) )
url = self.watch.link
# Requests, playwright, other browser via wss:// etc, fetch_extra_something # Requests, playwright, other browser via wss:// etc, fetch_extra_something
prefer_fetch_backend = self.watch.get('fetch_backend', 'system') prefer_fetch_backend = self.watch.get('fetch_backend', 'system')