holm/django-helpdeskmig
1
0
Fork 0
mirror of https://gitea.mueller.network/extern/django-helpdesk.git synced 2024-12-28 01:28:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add URL schemes that are allowed within links

Browse Source 
Fix bug Stored XSS via markdown
Disclosure: https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/
This commit is contained in:
noobpk 2021-11-19 13:00:03 +07:00
parent 3f245871ac
commit c54b89f143
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
helpdesk/models.py
View File

@ -56,6 +56,10 @@ def get_markdown(text):
if not text: if not text:
return "" return ""
schemes = '|'.join(helpdesk_settings.ALLOWED_URL_SCHEMES)
pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
text = re.sub(pattern, '[\\1](\\3)', text, flags=re.IGNORECASE)
return mark_safe( return mark_safe(
markdown( markdown(
text, text,

5
helpdesk/settings.py
View File

@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE', 'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
False) False)
# URL schemes that are allowed within links
ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
))
############################ ############################
# options for public pages # # options for public pages #
############################ ############################