Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-04-13 14:52:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixes bug where empty "" whitespace allows all scripts.

Browse source
This commit is contained in:
Kasen IO 2019-12-09 01:20:04 -05:00
parent fe66dc82f3
commit 2de388ab3b
1 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
libraries/script-engine/src/ScriptEngine.cpp
View file

@ -2363,24 +2363,23 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co
}
}
else {
// IF YOU FUCK UP, DELETE FROM HERE TO...
QList<QString> safeURLS = { "https://FAKEURL.t43wt4g4g44FAKE" };
safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts);
// ENTITY SCRIPT WHITELIST STARTS HERE
QList<QString> safeURLS = { "" };
safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts);
// PULL SAFEURLS FROM INTERFACE.JSON Settings
QVariant raw = Setting::Handle<QVariant>("private/settingsSafeURLS").get();
QStringList settingsSafeURLS = raw.toString().split(QRegExp("\\s*[,\r\n]+\\s*"));
QStringList settingsSafeURLS = raw.toString().trimmed().split(QRegExp("\\s*[,\r\n]+\\s*"), QString::SkipEmptyParts);
safeURLS += settingsSafeURLS;
// END PULL SAFEURLS FROM INTERFACE.JSON Settings
bool isInWhitelist = false; // assume unsafe
for (const auto& str : safeURLS) {
// qDebug() << "CHECKING" << entityID.toString() << scriptOrURL << "AGAINST" << str;
qCDebug(scriptengine) << "Script URL: " << scriptOrURL << "TESTING AGAINST" << str << "RESULTS IN"
<< scriptOrURL.startsWith(str);
if (scriptOrURL.startsWith(str)) {
if (!str.isEmpty() && scriptOrURL.startsWith(str)) {
isInWhitelist = true;
qCDebug(scriptengine) << "Script approved.";
break; // bail early since we found a match
@ -2410,7 +2409,7 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co
exception = testConstructor;
}
}
// DELETE UP TO HERE, THEN UNCOMMENT BELOW.
// ENTITY SCRIPT WHITELIST ENDS HERE, uncomment below for original full disabling.
// qDebug() << "(disabled entity script)" << entityID.toString() << scriptOrURL;
// exception = makeError("UNSAFE_ENTITY_SCRIPTS == 0");