From 2d3009ccb123bb34bf0d8b8b516a15c05240bf03 Mon Sep 17 00:00:00 2001
From: "Sean B. Palmer" <sbp@aldebaran.local>
Date: Mon, 5 Sep 2011 17:46:17 +0100
Subject: Attempt to patch a possible message injection hole.

---
 modules/head.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'modules/head.py')

diff --git a/modules/head.py b/modules/head.py
index 1008628..66e9eef 100755
--- a/modules/head.py
+++ b/modules/head.py
@@ -83,6 +83,18 @@ def f_title(self, origin, match, args):
       uri = 'http://' + uri
    uri = uri.replace('#!', '?_escaped_fragment_=')
 
+   localhost = [
+      'http://localhost/', 'http://localhost:80/', 
+      'http://localhost:8080/', 'http://127.0.0.1/', 
+      'http://127.0.0.1:80/', 'http://127.0.0.1:8080/', 
+      'https://localhost/', 'https://localhost:80/', 
+      'https://localhost:8080/', 'https://127.0.0.1/', 
+      'https://127.0.0.1:80/', 'https://127.0.0.1:8080/', 
+   ]
+   for s in localhost: 
+      if uri.startswith(s): 
+         return phenny.reply('Sorry, access forbidden.')
+
    try: 
       redirects = 0
       while True: 
-- 
cgit v1.2.3-1-g7c22