From 5b1fe362589b9ce6aa36e2df6fda4b3165bcdb32 Mon Sep 17 00:00:00 2001 From: jonathan Date: Tue, 28 Dec 2021 21:21:25 +0000 Subject: fixed url injection by means of starting an url with "." and turning the prefix into a subdomain --- lib/Properties.hs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/Properties.hs b/lib/Properties.hs index 35c4ce4..31823e6 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -497,7 +497,14 @@ checkTileThing removeExits p@(Property name _value) = case name of -> forbidProperty name -- the openWebsite Api can only be allowed if the website is on static.rc3.world | T.toLower name == "openwebsiteallowapi" - -> forbid "\"openWebsiteAllowApi\" is disallowed." + -> do + properties <- askContext <&> getProperties + unless (all (\(Property name value) -> case value of + StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str + _ -> True + ) properties) + $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \ + \on https://static.rc3.world" | name `elem` [ "openWebsite", "openTab" ] -> do uselessEmptyLayer suggestProperty $ Property "openWebsiteTrigger" (StrProp "onaction") -- cgit v1.2.3