mirror of
https://github.com/janeczku/calibre-web
synced 2024-11-25 02:57:22 +00:00
Don't allow redirects on cover uploads, catch more addresses which resolve to localhost
This commit is contained in:
parent
8007e450b3
commit
965352c8d9
@ -734,10 +734,10 @@ def save_cover_from_url(url, book_path):
|
|||||||
if not cli.allow_localhost:
|
if not cli.allow_localhost:
|
||||||
# 127.0.x.x, localhost, [::1], [::ffff:7f00:1]
|
# 127.0.x.x, localhost, [::1], [::ffff:7f00:1]
|
||||||
ip = socket.getaddrinfo(urlparse(url).hostname, 0)[0][4][0]
|
ip = socket.getaddrinfo(urlparse(url).hostname, 0)[0][4][0]
|
||||||
if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1":
|
if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1" or ip == "0.0.0.0" or ip == "::":
|
||||||
log.error("Localhost was accessed for cover upload")
|
log.error("Localhost was accessed for cover upload")
|
||||||
return False, _("You are not allowed to access localhost for cover uploads")
|
return False, _("You are not allowed to access localhost for cover uploads")
|
||||||
img = requests.get(url, timeout=(10, 200)) # ToDo: Error Handling
|
img = requests.get(url, timeout=(10, 200), allow_redirects=False) # ToDo: Error Handling
|
||||||
img.raise_for_status()
|
img.raise_for_status()
|
||||||
return save_cover(img, book_path)
|
return save_cover(img, book_path)
|
||||||
except (socket.gaierror,
|
except (socket.gaierror,
|
||||||
|
Loading…
Reference in New Issue
Block a user