Attempt to patch a possible message injection hole.

2011-09-05 17:46:17 +01:00
parent 66edd83372
commit 2d3009ccb1
9 changed files with 101 additions and 28 deletions
--- a/modules/head.py
+++ b/modules/head.py
@@ -83,6 +83,18 @@ def f_title(self, origin, match, args):
      uri = 'http://' + uri
   uri = uri.replace('#!', '?_escaped_fragment_=')

+   localhost = [
+      'http://localhost/', 'http://localhost:80/', 
+      'http://localhost:8080/', 'http://127.0.0.1/', 
+      'http://127.0.0.1:80/', 'http://127.0.0.1:8080/', 
+      'https://localhost/', 'https://localhost:80/', 
+      'https://localhost:8080/', 'https://127.0.0.1/', 
+      'https://127.0.0.1:80/', 'https://127.0.0.1:8080/', 
+   ]
+   for s in localhost: 
+      if uri.startswith(s): 
+         return phenny.reply('Sorry, access forbidden.')
+
   try: 
      redirects = 0
      while True: