Attempt to patch a possible message injection hole.

author: Sean B. Palmer <sbp@aldebaran.local> 2011-09-05 17:46:17 +0100
committer: Sean B. Palmer <sbp@aldebaran.local> 2011-09-05 17:46:17 +0100
commit: 2d3009ccb123bb34bf0d8b8b516a15c05240bf03 (patch)
tree: 28029457224da9cd91187e17f8b90cff5cb2de57 /modules/head.py
parent: 66edd833726d0a14400df65311999b1496b9f8cb (diff)
download: bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.tar.gz
bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.tar.bz2
bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/head.py b/modules/head.py
index 1008628..66e9eef 100755
--- a/modules/head.py
+++ b/modules/head.py
@@ -83,6 +83,18 @@ def f_title(self, origin, match, args):
       uri = 'http://' + uri
    uri = uri.replace('#!', '?_escaped_fragment_=')
 
+   localhost = [
+      'http://localhost/', 'http://localhost:80/', 
+      'http://localhost:8080/', 'http://127.0.0.1/', 
+      'http://127.0.0.1:80/', 'http://127.0.0.1:8080/', 
+      'https://localhost/', 'https://localhost:80/', 
+      'https://localhost:8080/', 'https://127.0.0.1/', 
+      'https://127.0.0.1:80/', 'https://127.0.0.1:8080/', 
+   ]
+   for s in localhost: 
+      if uri.startswith(s): 
+         return phenny.reply('Sorry, access forbidden.')
+
    try: 
       redirects = 0
       while True:
author	Sean B. Palmer <sbp@aldebaran.local>	2011-09-05 17:46:17 +0100
committer	Sean B. Palmer <sbp@aldebaran.local>	2011-09-05 17:46:17 +0100
commit	2d3009ccb123bb34bf0d8b8b516a15c05240bf03 (patch)
tree	28029457224da9cd91187e17f8b90cff5cb2de57 /modules/head.py
parent	66edd833726d0a14400df65311999b1496b9f8cb (diff)
download	bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.tar.gz bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.tar.bz2 bot-2d3009ccb123bb34bf0d8b8b516a15c05240bf03.zip