mirrors/calibre-web
1
0
Fork 0
mirror of https://github.com/janeczku/calibre-web synced 2024-06-13 17:06:50 +00:00
Code Issues Releases Wiki Activity

Don't allow redirects on cover uploads, catch more addresses which resolve to localhost

Browse Source
This commit is contained in:
Ozzie Isaacs 2022-02-26 08:05:35 +01:00
parent 8007e450b3
commit 965352c8d9
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cps/helper.py
View File

@ -734,10 +734,10 @@ def save_cover_from_url(url, book_path):
if not cli.allow_localhost: if not cli.allow_localhost:
# 127.0.x.x, localhost, [::1], [::ffff:7f00:1] # 127.0.x.x, localhost, [::1], [::ffff:7f00:1]
ip = socket.getaddrinfo(urlparse(url).hostname, 0)[0][4][0] ip = socket.getaddrinfo(urlparse(url).hostname, 0)[0][4][0]
if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1": if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1" or ip == "0.0.0.0" or ip == "::":
log.error("Localhost was accessed for cover upload") log.error("Localhost was accessed for cover upload")
return False, _("You are not allowed to access localhost for cover uploads") return False, _("You are not allowed to access localhost for cover uploads")
img = requests.get(url, timeout=(10, 200)) # ToDo: Error Handling img = requests.get(url, timeout=(10, 200), allow_redirects=False) # ToDo: Error Handling
img.raise_for_status() img.raise_for_status()
return save_cover(img, book_path) return save_cover(img, book_path)
except (socket.gaierror, except (socket.gaierror,