forked from rDrama/rDrama
Probably will break some peoples' profilecss and irritate the newsposters, but in light of recent live proven exploits to disclose user IP & username pairs to remote servers, the broad list of embed hosts was unsustainable and impossible to prove safe. We extend is_safe_url to allow whitelisting subdomains, specifically to solve the s.lain.la open redirect exploit. Also, open media proxies like external-content.duckduckgo.com were concerning enough, despite likely being safe, to warrant removal. Anything infrequently used and difficult to review, or has a reasonable alternative, was also removed. In general: we want people to be rehosting, and if we want to allow more external content, we need to run a media proxy. The central issue is that any user-configurable 302 is a potential disclosure risk, and Lord knows how many ways there were to get <arbitrarynewssite>.com to do so. Maybe zero, but the problem is we just don't know. |
||
---|---|---|
.. | ||
assets | ||
classes | ||
events | ||
helpers | ||
routes | ||
templates | ||
__init__.py | ||
__main__.py | ||
cli.py |