mirror of
https://github.com/gorhill/uBlock.git
synced 2024-11-11 09:31:01 +01:00
code review for #3331: increase restrictions
Only resources from within current directory will be allowed, everything else will be silently rejected. For example, this will forbid pulling lists from different repos on GitHub, despite the lists being same origin.
This commit is contained in:
parent
6ab34efe44
commit
f7c02e237f
1 changed files with 14 additions and 14 deletions
|
@ -190,22 +190,22 @@ api.fetchFilterList = function(mainlistURL, onLoad, onError) {
|
|||
if ( isSublist ) { content.push('\n! ' + '>>>>>>>> ' + details.url); }
|
||||
content.push(details.content.trim());
|
||||
if ( isSublist ) { content.push('! <<<<<<<< ' + details.url); }
|
||||
|
||||
if ( parsedMainURL !== undefined ) {
|
||||
if (
|
||||
parsedMainURL !== undefined &&
|
||||
parsedMainURL.pathname.length > 0
|
||||
) {
|
||||
var reInclude = /^!#include +(\S+)/gm,
|
||||
match, subURL;
|
||||
for (;;) {
|
||||
match = reInclude.exec(details.content);
|
||||
while ( match !== null ) {
|
||||
var parsedSubURL = toParsedURL(match[1]);
|
||||
if ( parsedSubURL === undefined ) {
|
||||
parsedSubURL = toParsedURL(
|
||||
parsedMainURL.href.replace(/[^/?]+(?:\?.*)?$/, match[1])
|
||||
);
|
||||
if ( parsedSubURL === undefined ) { continue; }
|
||||
}
|
||||
if ( parsedSubURL.origin !== parsedMainURL.origin ) { continue; }
|
||||
if ( loadedSublistURLs.has(parsedSubURL.href) ) { continue; }
|
||||
pendingSublistURLs.add(parsedSubURL.href);
|
||||
match = reInclude.exec(details.content);
|
||||
if ( match === null ) { break; }
|
||||
if ( toParsedURL(match[1]) !== undefined ) { continue; }
|
||||
if ( match[1].indexOf('..') !== -1 ) { continue; }
|
||||
subURL =
|
||||
parsedMainURL.origin +
|
||||
parsedMainURL.pathname.replace(/[^/]+$/, match[1]);
|
||||
if ( loadedSublistURLs.has(subURL) ) { continue; }
|
||||
pendingSublistURLs.add(subURL);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue