diff options
| author | jonathan | 2021-12-28 21:21:25 +0000 |
|---|---|---|
| committer | stuebinm | 2022-03-19 19:23:05 +0100 |
| commit | 5b1fe362589b9ce6aa36e2df6fda4b3165bcdb32 (patch) | |
| tree | b60e040a9d46155d3a638a6ecd2230164bc73d13 | |
| parent | 8f292660630b3154a3441cc673d6aa605f668e5b (diff) | |
fixed url injection by means of starting an url with "." and turning the prefix into a subdomain
| -rw-r--r-- | lib/Properties.hs | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs index 35c4ce4..31823e6 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -497,7 +497,14 @@ checkTileThing removeExits p@(Property name _value) = case name of -> forbidProperty name -- the openWebsite Api can only be allowed if the website is on static.rc3.world | T.toLower name == "openwebsiteallowapi" - -> forbid "\"openWebsiteAllowApi\" is disallowed." + -> do + properties <- askContext <&> getProperties + unless (all (\(Property name value) -> case value of + StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str + _ -> True + ) properties) + $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \ + \on https://static.rc3.world" | name `elem` [ "openWebsite", "openTab" ] -> do uselessEmptyLayer suggestProperty $ Property "openWebsiteTrigger" (StrProp "onaction") |