Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-04-11 13:42:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #16 from FluffyJenkins/feature/qmlWhitelistMeow

Browse source 
QML Whitelisting
This commit is contained in:
kasenvr 2019-12-30 19:51:51 -05:00 committed by GitHub
commit 1d14bed3ce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
interface/src/Application.cpp
View file

@ -3202,10 +3202,30 @@ void Application::initializeUi() {
// Allow remote QML content from trusted sources ONLY
{
auto defaultUrlValidator = OffscreenQmlSurface::getUrlValidator();
auto newValidator = [=](const QUrl& url)->bool {
if (AUTHORIZED_EXTERNAL_QML_SOURCE.isParentOf(url)) {
return true;
auto newValidator = [=](const QUrl& url) -> bool {
QString whitelistPrefix = "[WHITELIST ENTITY SCRIPTS]";
QList<QString> safeURLS = { "" };
safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts);
// PULL SAFEURLS FROM INTERFACE.JSON Settings
QVariant raw = Setting::Handle<QVariant>("private/settingsSafeURLS").get();
QStringList settingsSafeURLS = raw.toString().trimmed().split(QRegExp("\\s*[,\r\n]+\\s*"), QString::SkipEmptyParts);
safeURLS += settingsSafeURLS;
// END PULL SAFEURLS FROM INTERFACE.JSON Settings
bool isInWhitelist = false; // assume unsafe
for (const auto& str : safeURLS) {
if (!str.isEmpty() && str.endsWith(".qml") && url.toString().endsWith(".qml") &&
url.toString().startsWith(str)) {
qCDebug(interfaceapp) << "Found matching url!" << url.host();
isInWhitelist = true;
return true;
}
}
qCDebug(interfaceapp) << "No matching url" << url.host();
return defaultUrlValidator(url);
};
OffscreenQmlSurface::setUrlValidator(newValidator);