summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjonathan2021-12-28 21:21:25 +0000
committerstuebinm2022-03-19 19:23:05 +0100
commit5b1fe362589b9ce6aa36e2df6fda4b3165bcdb32 (patch)
treeb60e040a9d46155d3a638a6ecd2230164bc73d13
parent8f292660630b3154a3441cc673d6aa605f668e5b (diff)
fixed url injection by means of starting an url with "." and turning the prefix into a subdomain
-rw-r--r--lib/Properties.hs9
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs
index 35c4ce4..31823e6 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -497,7 +497,14 @@ checkTileThing removeExits p@(Property name _value) = case name of
-> forbidProperty name
-- the openWebsite Api can only be allowed if the website is on static.rc3.world
| T.toLower name == "openwebsiteallowapi"
- -> forbid "\"openWebsiteAllowApi\" is disallowed."
+ -> do
+ properties <- askContext <&> getProperties
+ unless (all (\(Property name value) -> case value of
+ StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str
+ _ -> True
+ ) properties)
+ $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \
+ \on https://static.rc3.world"
| name `elem` [ "openWebsite", "openTab" ] -> do
uselessEmptyLayer
suggestProperty $ Property "openWebsiteTrigger" (StrProp "onaction")