forked from rDrama/rDrama
Snakes
616634158c
Probably will break some peoples' profilecss and irritate the newsposters, but in light of recent live proven exploits to disclose user IP & username pairs to remote servers, the broad list of embed hosts was unsustainable and impossible to prove safe. We extend is_safe_url to allow whitelisting subdomains, specifically to solve the s.lain.la open redirect exploit. Also, open media proxies like external-content.duckduckgo.com were concerning enough, despite likely being safe, to warrant removal. Anything infrequently used and difficult to review, or has a reasonable alternative, was also removed. In general: we want people to be rehosting, and if we want to allow more external content, we need to run a media proxy. The central issue is that any user-configurable 302 is a potential disclosure risk, and Lord knows how many ways there were to get <arbitrarynewssite>.com to do so. Maybe zero, but the problem is we just don't know. |
||
|---|---|---|
| .. | ||
| assets | ||
| classes | ||
| events | ||
| helpers | ||
| routes | ||
| templates | ||
| __init__.py | ||
| __main__.py | ||
| cli.py | ||