diff --git a/src/Config.py b/src/Config.py index 4a84e6781..aab299fd7 100644 --- a/src/Config.py +++ b/src/Config.py @@ -13,7 +13,7 @@ class Config(object): def __init__(self, argv): self.version = "0.6.5" - self.rev = 3866 + self.rev = 3870 self.argv = argv self.action = None self.pending_changes = {} diff --git a/src/Translate/languages/it.json b/src/Translate/languages/it.json index 479923282..f3ee5d87a 100644 --- a/src/Translate/languages/it.json +++ b/src/Translate/languages/it.json @@ -39,7 +39,7 @@ " files needs to be downloaded": " i file devono essere scaricati", " downloaded": " scaricati", " download failed": " scaricamento fallito", - "Peers found: ": "Peer trovati: ", + "Peers found: ": "Peers trovati: ", "No peers found": "Nessun peer trovato", "Running out of size limit (": "Superato il limite di spazio (", "Set limit to \" + site_info.next_size_limit + \"MB": "Imposta il limite a \" + site_info.next_size_limit + \"MB", diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 7fcc3c9e5..1a2f4b2a8 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -293,9 +293,12 @@ def sendHeader(self, status=200, content_type="text/html", noscript=False, allow # Renders a template def render(self, template_path, *args, **kwargs): template = open(template_path).read() - for key, val in kwargs.items(): - template = template.replace("{%s}" % key, "%s" % val) - return template.encode("utf8") + def renderReplacer(m): + return "%s" % kwargs.get(m.group(1), "") + + template_rendered = re.sub("{(.*?)}", renderReplacer, template) + + return template_rendered.encode("utf8") # - Actions - @@ -416,6 +419,9 @@ def renderWrapper(self, site, path, inner_path, title, extra_headers, show_loadi file_url = "/" + address + "/" + inner_path root_url = "/" + address + "/" + if self.isProxyRequest(): + self.server.allowed_ws_origins.add(self.env["HTTP_HOST"]) + # Wrapper variable inits body_style = "" meta_tags = "" @@ -710,9 +716,20 @@ def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_l # On websocket connection def actionWebsocket(self): ws = self.env.get("wsgi.websocket") + if ws: - wrapper_key = self.get["wrapper_key"] + # Allow only same-origin websocket requests + origin = self.env.get("HTTP_ORIGIN") + host = self.env.get("HTTP_HOST") + # Allow only same-origin websocket requests + if origin: + origin_host = origin.split("://", 1)[-1] + if origin_host != host and origin_host not in self.server.allowed_ws_origins: + ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) + return self.error403("Invalid origin: %s" % origin) + # Find site by wrapper_key + wrapper_key = self.get["wrapper_key"] site = None for site_check in self.server.sites.values(): if site_check.settings["wrapper_key"] == wrapper_key: diff --git a/src/Ui/UiServer.py b/src/Ui/UiServer.py index 90b6a31ce..03d56162c 100644 --- a/src/Ui/UiServer.py +++ b/src/Ui/UiServer.py @@ -75,6 +75,7 @@ def __init__(self): else: self.allowed_hosts = set([]) self.allow_trans_proxy = config.ui_trans_proxy + self.allowed_ws_origins = set() self.wrapper_nonces = [] self.add_nonces = [] diff --git a/src/Ui/UiWebsocket.py b/src/Ui/UiWebsocket.py index b407e597f..580ff2af2 100644 --- a/src/Ui/UiWebsocket.py +++ b/src/Ui/UiWebsocket.py @@ -1120,6 +1120,11 @@ def actionConfigSet(self, to, key, value): self.response(to, {"error": "Forbidden you cannot set this config key"}) return + if key == "open_browser": + if value not in ["default_browser", "False"]: + self.response(to, {"error": "Forbidden: Invalid value"}) + return + # Remove empty lines from lists if type(value) is list: value = [line for line in value if line]