From 650e620e2b76484f6523a973a5842836a054c2b1 Mon Sep 17 00:00:00 2001 From: Neil Fraser Date: Mon, 28 Aug 2023 18:56:57 +0200 Subject: [PATCH] Prevent raw content being served from storage. (#7443) TODO: Detailed description to be added once deployed. --- appengine/storage.js | 2 ++ appengine/storage.py | 14 ++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/appengine/storage.js b/appengine/storage.js index a9eb74cc9..c11571771 100644 --- a/appengine/storage.js +++ b/appengine/storage.js @@ -130,6 +130,8 @@ BlocklyStorage.handleRequest_ = function() { BlocklyStorage.alert(BlocklyStorage.HASH_ERROR.replace('%1', window.location.hash)); } else { + // Remove poison line to prevent raw content from being served. + data = data.replace(/^\{\[\(\< UNTRUSTED CONTENT \>\)\]\}\n/, ''); BlocklyStorage.loadXml_(data, BlocklyStorage.httpRequest_.workspace); } } diff --git a/appengine/storage.py b/appengine/storage.py index 7e5073d3d..637e8843d 100644 --- a/appengine/storage.py +++ b/appengine/storage.py @@ -80,11 +80,20 @@ def keyToXml(key_provided): with client.context(): result.put() xml = result.xml_content + # Add a poison line to prevent raw content from being served. + xml = "{[(< UNTRUSTED CONTENT >)]}\n" + xml return xml def app(environ, start_response): - forms = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ) + headers = [ + ("Content-Type", "text/plain") + ] + if environ["REQUEST_METHOD"] != "POST": + start_response("405 Method Not Allowed", headers) + return ["Storage only accepts POST".encode('utf-8')] + + forms = cgi.FieldStorage(fp=environ["wsgi.input"], environ=environ) if "xml" in forms: out = xmlToKey(forms["xml"].value) elif "key" in forms: @@ -92,8 +101,5 @@ def app(environ, start_response): else: out = "" - headers = [ - ("Content-Type", "text/plain") - ] start_response("200 OK", headers) return [out.encode("utf-8")]