[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [bridgedb/main] Filter user-requested language input



commit 0cdee596d91b7576a95f69fff0a6af0fb46b774f
Author: Cecylia Bocovich <cohosh@xxxxxxxxxxxxxx>
Date:   Mon May 31 12:48:59 2021 -0400

    Filter user-requested language input
    
    There was an HTML injection attack made possible by the fact that we
    were including the unsanitized language inputs in the HTML page
    returned to the user. This change filters any user-requested languages
    (either from the Accept-Language header or the "lang" parameter) and
    only includes languages supported by BridgeDB.
---
 bridgedb/distributors/https/server.py | 23 ++++++++++++++++++++---
 bridgedb/translations.py              | 23 ++++++++++++++++++++---
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/bridgedb/distributors/https/server.py b/bridgedb/distributors/https/server.py
index fd3fc74..6310e75 100644
--- a/bridgedb/distributors/https/server.py
+++ b/bridgedb/distributors/https/server.py
@@ -405,12 +405,17 @@ class TranslatedTemplateResource(CustomErrorHandlingResource, CSPResource):
             langs = translations.getLocaleFromHTTPRequest(request)
             rtl = translations.usingRTLLang(langs)
             template = lookup.get_template(self.template)
-            rendered = template.render(strings,
+            if langs:
+                rendered = template.render(strings,
                                        getSortedLangList(),
                                        rtl=rtl,
                                        lang=langs[0],
                                        langOverride=translations.isLangOverridden(request),
                                        showFaq=self.showFaq)
+            else:
+                rendered = template.render(strings,
+                                       getSortedLangList(),
+                                       showFaq=self.showFaq)
         except Exception as err:  # pragma: no cover
             rendered = replaceErrorPage(request, err)
         request.setHeader("Content-Type", "text/html; charset=utf-8")
@@ -539,13 +544,19 @@ class CaptchaProtectedResource(CustomErrorHandlingResource, CSPResource):
             # TODO: this does not work for versions of IE < 8.0
             imgstr = b'data:image/jpeg;base64,%s' % base64.b64encode(image)
             template = lookup.get_template('captcha.html')
-            rendered = template.render(strings,
+            if langs:
+                rendered = template.render(strings,
                                        getSortedLangList(),
                                        rtl=rtl,
                                        lang=langs[0],
                                        langOverride=translations.isLangOverridden(request),
                                        imgstr=imgstr.decode("utf-8"),
                                        challenge_field=challenge)
+            else:
+                rendered = template.render(strings,
+                                       getSortedLangList(),
+                                       imgstr=imgstr.decode("utf-8"),
+                                       challenge_field=challenge)
         except Exception as err:
             rendered = replaceErrorPage(request, err, 'captcha.html')
 
@@ -1084,13 +1095,19 @@ class BridgesResource(CustomErrorHandlingResource, CSPResource):
                 langs = translations.getLocaleFromHTTPRequest(request)
                 rtl = translations.usingRTLLang(langs)
                 template = lookup.get_template('bridges.html')
-                rendered = template.render(strings,
+                if langs:
+                    rendered = template.render(strings,
                                            getSortedLangList(),
                                            rtl=rtl,
                                            lang=langs[0],
                                            langOverride=translations.isLangOverridden(request),
                                            answer=bridgeLines,
                                            qrcode=qrcode)
+                else:
+                    rendered = template.render(strings,
+                                           getSortedLangList(),
+                                           answer=bridgeLines,
+                                           qrcode=qrcode)
             except Exception as err:
                 rendered = replaceErrorPage(request, err)
 
diff --git a/bridgedb/translations.py b/bridgedb/translations.py
index b6a9ef3..7569ee7 100644
--- a/bridgedb/translations.py
+++ b/bridgedb/translations.py
@@ -94,6 +94,7 @@ def getLocaleFromHTTPRequest(request):
 
     langs = list(map(lambda l: l if isinstance(l, str) else l.decode('utf-8'), langs))
 
+    langs = filterRequestedLangs(langs)
     installTranslations(langs)
     return langs
 
@@ -110,6 +111,22 @@ def getLocaleFromPlusAddr(address):
 
     return replyLocale
 
+def filterRequestedLangs(langs):
+    """
+    Filters user-requested languages to only include those supported
+    by BridgeDB.
+    :type list
+    :param langs: A list of user-requested languages for translation
+    :rtype: list
+    :returns: All requested languages that are supported by BridgeDB
+    """
+    supported_langs = getSupportedLangs()
+    valid_langs = list()
+    for l in langs:
+        if l in supported_langs:
+            valid_langs.append(l)
+    return valid_langs
+
 def installTranslations(langs):
     """Create a ``gettext.translation`` chain for all **langs**.
 
@@ -125,11 +142,11 @@ def installTranslations(langs):
     """
     try:
         language = gettext.translation("bridgedb", localedir=TRANSLATIONS_DIR,
-                                       languages=langs, fallback=True)
-        for lang in langs:
+                                       languages=[langs[0]], fallback=True)
+        for lang in langs[1:]:
             language.add_fallback(
                 gettext.translation("bridgedb", localedir=TRANSLATIONS_DIR,
-                                    languages=langs, fallback=True))
+                                    languages=[lang], fallback=True))
     except IOError as error:
         logging.error(str(error))
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits