CodingPirates/blockly
1
0
Fork 0
mirror of https://github.com/google/blockly.git synced 2025-12-13 12:50:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent raw content being served from storage. (#7443)

Browse Source 
TODO: Detailed description to be added once deployed.
This commit is contained in:
Neil Fraser
2023-08-28 18:56:57 +02:00
committed by GitHub
parent fb6c3dc8b2
commit 650e620e2b
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
appengine/storage.js
View File

@@ -130,6 +130,8 @@ BlocklyStorage.handleRequest_ = function() {
BlocklyStorage.alert(BlocklyStorage.HASH_ERROR.replace('%1',
window.location.hash));
} else {
// Remove poison line to prevent raw content from being served.
data = data.replace(/^\{\[\(\< UNTRUSTED CONTENT \>\)\]\}\n/, '');
BlocklyStorage.loadXml_(data, BlocklyStorage.httpRequest_.workspace);
}
}

14
appengine/storage.py
View File

@@ -80,11 +80,20 @@ def keyToXml(key_provided):
with client.context():
result.put()
xml = result.xml_content
# Add a poison line to prevent raw content from being served.
xml = "{[(< UNTRUSTED CONTENT >)]}\n" + xml
return xml
def app(environ, start_response):
forms = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
headers = [
("Content-Type", "text/plain")
]
if environ["REQUEST_METHOD"] != "POST":
start_response("405 Method Not Allowed", headers)
return ["Storage only accepts POST".encode('utf-8')]
forms = cgi.FieldStorage(fp=environ["wsgi.input"], environ=environ)
if "xml" in forms:
out = xmlToKey(forms["xml"].value)
elif "key" in forms:
@@ -92,8 +101,5 @@ def app(environ, start_response):
else:
out = ""
headers = [
("Content-Type", "text/plain")
]
start_response("200 OK", headers)
return [out.encode("utf-8")]