From 861e0855973fdb1c0ef73a5d07ef62acf691e1c1 Mon Sep 17 00:00:00 2001
From: kusky <37901668+kusky33@users.noreply.github.com>
Date: Sun, 7 Jul 2019 15:11:53 +0200
Subject: [PATCH 1/6] Update it.json

---
 src/Translate/languages/it.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Translate/languages/it.json b/src/Translate/languages/it.json
index 479923282..f3ee5d87a 100644
--- a/src/Translate/languages/it.json
+++ b/src/Translate/languages/it.json
@@ -39,7 +39,7 @@
 	" files needs to be downloaded": " i file devono essere scaricati",
 	" downloaded": " scaricati",
 	" download failed": " scaricamento fallito",
-	"Peers found: ": "Peer trovati: ",
+	"Peers found: ": "Peers trovati: ",
 	"No peers found": "Nessun peer trovato",
 	"Running out of size limit (": "Superato il limite di spazio (",
 	"Set limit to \" + site_info.next_size_limit + \"MB": "Imposta il limite a \" + site_info.next_size_limit + \"MB",

From 67b78ca12d75cb208a3273ad7c9e412e893cc42e Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Sun, 18 Aug 2019 03:20:44 +0200
Subject: [PATCH 2/6] Rev3868, Add origin validation to websocket connections

---
 src/Config.py       |  2 +-
 src/Ui/UiRequest.py | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/Config.py b/src/Config.py
index 4a84e6781..8c9fda74f 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.6.5"
-        self.rev = 3866
+        self.rev = 3868
         self.argv = argv
         self.action = None
         self.pending_changes = {}
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 7fcc3c9e5..25c9ae0e6 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -710,9 +710,19 @@ def actionFile(self, file_path, block_size=64 * 1024, send_header=True, header_l
     # On websocket connection
     def actionWebsocket(self):
         ws = self.env.get("wsgi.websocket")
+
         if ws:
-            wrapper_key = self.get["wrapper_key"]
+            # Allow only same-origin websocket requests
+            origin = self.env.get("HTTP_ORIGIN")
+            host = self.env.get("HTTP_HOST")
+            if origin and host:
+                origin_host = origin.split("://", 1)[-1]
+                if host != origin_host:
+                    ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
+                    return self.error403("Invalid origin: %s" % origin)
+
             # Find site by wrapper_key
+            wrapper_key = self.get["wrapper_key"]
             site = None
             for site_check in self.server.sites.values():
                 if site_check.settings["wrapper_key"] == wrapper_key:

From 27a67d9753110f8f511e3fc9a7a800063ebe22b5 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 28 Aug 2019 01:32:02 +0200
Subject: [PATCH 3/6] Allow websocket connection originates from earlier
 accepted hostnames

---
 src/Ui/UiRequest.py | 8 ++++++--
 src/Ui/UiServer.py  | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 25c9ae0e6..667b90a57 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -416,6 +416,9 @@ def renderWrapper(self, site, path, inner_path, title, extra_headers, show_loadi
             file_url = "/" + address + "/" + inner_path
             root_url = "/" + address + "/"
 
+        if self.isProxyRequest():
+            self.server.allowed_ws_origins.add(self.env["HTTP_HOST"])
+
         # Wrapper variable inits
         body_style = ""
         meta_tags = ""
@@ -715,9 +718,10 @@ def actionWebsocket(self):
             # Allow only same-origin websocket requests
             origin = self.env.get("HTTP_ORIGIN")
             host = self.env.get("HTTP_HOST")
-            if origin and host:
+            # Allow only same-origin websocket requests
+            if origin:
                 origin_host = origin.split("://", 1)[-1]
-                if host != origin_host:
+                if origin_host != host and origin_host not in self.server.allowed_ws_origins:
                     ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
                     return self.error403("Invalid origin: %s" % origin)
 
diff --git a/src/Ui/UiServer.py b/src/Ui/UiServer.py
index 90b6a31ce..03d56162c 100644
--- a/src/Ui/UiServer.py
+++ b/src/Ui/UiServer.py
@@ -75,6 +75,7 @@ def __init__(self):
         else:
             self.allowed_hosts = set([])
         self.allow_trans_proxy = config.ui_trans_proxy
+        self.allowed_ws_origins = set()
 
         self.wrapper_nonces = []
         self.add_nonces = []

From a121c23973b1d4f849a377f1bdc1cfe76cce88a3 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 28 Aug 2019 01:32:16 +0200
Subject: [PATCH 4/6] Use re.sub to replace template variables

---
 src/Ui/UiRequest.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 667b90a57..1a2f4b2a8 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -293,9 +293,12 @@ def sendHeader(self, status=200, content_type="text/html", noscript=False, allow
     # Renders a template
     def render(self, template_path, *args, **kwargs):
         template = open(template_path).read()
-        for key, val in kwargs.items():
-            template = template.replace("{%s}" % key, "%s" % val)
-        return template.encode("utf8")
+        def renderReplacer(m):
+            return "%s" % kwargs.get(m.group(1), "")
+
+        template_rendered = re.sub("{(.*?)}", renderReplacer, template)
+
+        return template_rendered.encode("utf8")
 
     # - Actions -
 

From a9b5561c490995f8ac5658f6bfa9b10e6c1f5c4d Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 28 Aug 2019 01:32:28 +0200
Subject: [PATCH 5/6] Rev3870

---
 src/Config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Config.py b/src/Config.py
index 8c9fda74f..aab299fd7 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.6.5"
-        self.rev = 3868
+        self.rev = 3870
         self.argv = argv
         self.action = None
         self.pending_changes = {}

From bf771eda5f2175d4ba24376ebf91ecaafde25c48 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 28 Aug 2019 01:33:32 +0200
Subject: [PATCH 6/6] Restrict setting open_browser values in config file

---
 src/Ui/UiWebsocket.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Ui/UiWebsocket.py b/src/Ui/UiWebsocket.py
index b407e597f..580ff2af2 100644
--- a/src/Ui/UiWebsocket.py
+++ b/src/Ui/UiWebsocket.py
@@ -1120,6 +1120,11 @@ def actionConfigSet(self, to, key, value):
             self.response(to, {"error": "Forbidden you cannot set this config key"})
             return
 
+        if key == "open_browser":
+            if value not in ["default_browser", "False"]:
+                self.response(to, {"error": "Forbidden: Invalid value"})
+                return
+
         # Remove empty lines from lists
         if type(value) is list:
             value = [line for line in value if line]