From 82dc6d197ace627d69168ba18f917b77e17e834d Mon Sep 17 00:00:00 2001 From: Fluffy Jenkins Date: Sat, 14 Dec 2019 03:02:13 +0000 Subject: [PATCH 1/2] New feature --- interface/src/Application.cpp | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/interface/src/Application.cpp b/interface/src/Application.cpp index 9c60139d06..783cb46dab 100644 --- a/interface/src/Application.cpp +++ b/interface/src/Application.cpp @@ -3182,13 +3182,37 @@ static const QUrl AUTHORIZED_EXTERNAL_QML_SOURCE { "https://content.highfidelity void Application::initializeUi() { + // Allow remote QML content from trusted sources ONLY { auto defaultUrlValidator = OffscreenQmlSurface::getUrlValidator(); - auto newValidator = [=](const QUrl& url)->bool { - if (AUTHORIZED_EXTERNAL_QML_SOURCE.isParentOf(url)) { - return true; + auto newValidator = [=](const QUrl& url) -> bool { + QString whitelistPrefix = "[WHITELIST ENTITY SCRIPTS]"; + QList safeURLS = { "" }; + safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts); + + // PULL SAFEURLS FROM INTERFACE.JSON Settings + + QVariant raw = Setting::Handle("private/settingsSafeURLS").get(); + QStringList settingsSafeURLS = raw.toString().trimmed().split(QRegExp("\\s*[,\r\n]+\\s*"), QString::SkipEmptyParts); + safeURLS += settingsSafeURLS; + + // END PULL SAFEURLS FROM INTERFACE.JSON Settings + + bool isInWhitelist = false; // assume unsafe + for (const auto& str : safeURLS) { + qDebug() << "url.toString().startsWith(str) = " << url.toString().startsWith(str); + qDebug() << "str.endsWith('.qml ') = " << str.endsWith(".qml"); + if (!str.isEmpty() && str.endsWith(".qml") && url.toString().endsWith(".qml") && + url.toString().startsWith(str)) { + qDebug() << "found matching url!" << url.host(); + isInWhitelist = true; + return true; + break; // bail early since we found a match + } } + + qDebug() << "no matching url :c" << url.host(); return defaultUrlValidator(url); }; OffscreenQmlSurface::setUrlValidator(newValidator); From 0f3e8d21016511695009049180856d314b621cb8 Mon Sep 17 00:00:00 2001 From: Fluffy Jenkins Date: Wed, 18 Dec 2019 20:08:20 +0000 Subject: [PATCH 2/2] Made requested changes --- interface/src/Application.cpp | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/interface/src/Application.cpp b/interface/src/Application.cpp index 783cb46dab..5aaae6986c 100644 --- a/interface/src/Application.cpp +++ b/interface/src/Application.cpp @@ -3182,7 +3182,6 @@ static const QUrl AUTHORIZED_EXTERNAL_QML_SOURCE { "https://content.highfidelity void Application::initializeUi() { - // Allow remote QML content from trusted sources ONLY { auto defaultUrlValidator = OffscreenQmlSurface::getUrlValidator(); @@ -3201,18 +3200,15 @@ void Application::initializeUi() { bool isInWhitelist = false; // assume unsafe for (const auto& str : safeURLS) { - qDebug() << "url.toString().startsWith(str) = " << url.toString().startsWith(str); - qDebug() << "str.endsWith('.qml ') = " << str.endsWith(".qml"); if (!str.isEmpty() && str.endsWith(".qml") && url.toString().endsWith(".qml") && url.toString().startsWith(str)) { - qDebug() << "found matching url!" << url.host(); + qCDebug(interfaceapp) << "Found matching url!" << url.host(); isInWhitelist = true; return true; - break; // bail early since we found a match } } - qDebug() << "no matching url :c" << url.host(); + qCDebug(interfaceapp) << "No matching url" << url.host(); return defaultUrlValidator(url); }; OffscreenQmlSurface::setUrlValidator(newValidator);