From db398b7850782bd0942ffd58c2a3889d9f3ef8df Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 23 Jan 2017 13:36:02 -0800
Subject: [PATCH 1/3] check URL host for script whitelist, not startsWith

---
 libraries/entities/src/EntityTree.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libraries/entities/src/EntityTree.cpp b/libraries/entities/src/EntityTree.cpp
index 4796dda671..fdf95d2775 100644
--- a/libraries/entities/src/EntityTree.cpp
+++ b/libraries/entities/src/EntityTree.cpp
@@ -958,9 +958,12 @@ int EntityTree::processEditPacketData(ReceivedMessage& message, const unsigned c
 
             if (validEditPacket && !_entityScriptSourceWhitelist.isEmpty() && !properties.getScript().isEmpty()) {
                 bool passedWhiteList = false;
-                auto entityScript = properties.getScript();
+
+                // grab a URL representation of the entity script so we can check the host for this script
+                auto entityScriptURL = QUrl::fromUserInput(properties.getScript());
+
                 for (const auto& whiteListedPrefix : _entityScriptSourceWhitelist) {
-                    if (entityScript.startsWith(whiteListedPrefix, Qt::CaseInsensitive)) {
+                    if (entityScriptURL.host().compare(whiteListedPrefix, Qt::CaseInsensitive) == 0) {
                         passedWhiteList = true;
                         break;
                     }

From 7362bf16c1d2b1be4e1ec9c5d56523f68afbad72 Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 23 Jan 2017 16:33:22 -0800
Subject: [PATCH 2/3] use isParentOf to check script whitelist, clarify
 description in settings

---
 domain-server/resources/describe-settings.json |  2 +-
 libraries/entities/src/EntityTree.cpp          | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json
index c813ffc54c..0084e51239 100644
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@@ -1285,7 +1285,7 @@
         {
           "name": "entityScriptSourceWhitelist",
           "label": "Entity Scripts Allowed from:",
-          "help": "The domains that entity scripts are allowed from. A comma separated list of domains that entity scripts are allowed from, if someone attempts to create and entity or edit an entity to have a different domain, it will be rejected. If left blank, any domain is allowed.",
+          "help": "Comma separated list of URLs (with optional paths) that entity scripts are allowed from. If someone attempts to create and entity or edit an entity to have a different domain, it will be rejected. If left blank, any domain is allowed.",
           "placeholder": "",
           "default": "",
           "advanced": true
diff --git a/libraries/entities/src/EntityTree.cpp b/libraries/entities/src/EntityTree.cpp
index fdf95d2775..a3f685f95f 100644
--- a/libraries/entities/src/EntityTree.cpp
+++ b/libraries/entities/src/EntityTree.cpp
@@ -963,7 +963,17 @@ int EntityTree::processEditPacketData(ReceivedMessage& message, const unsigned c
                 auto entityScriptURL = QUrl::fromUserInput(properties.getScript());
 
                 for (const auto& whiteListedPrefix : _entityScriptSourceWhitelist) {
-                    if (entityScriptURL.host().compare(whiteListedPrefix, Qt::CaseInsensitive) == 0) {
+                    auto whiteListURL = QUrl::fromUserInput(whiteListedPrefix);
+
+                    if (entityScriptURL.scheme() != whiteListURL.scheme()) {
+                        // isParentOf will be false if the schemes are different, but 
+                    }
+
+                    qDebug() << "Comparing" << entityScriptURL << "to" << whiteListURL;
+                    qDebug() << whiteListURL.isParentOf(entityScriptURL);
+
+                    // check if this script URL matches the whitelist domain and, optionally, is beneath the path
+                    if (whiteListURL.isParentOf(entityScriptURL)) {
                         passedWhiteList = true;
                         break;
                     }

From 9229a07f6a3f0ec34647535d3e1a0a93219272c0 Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 23 Jan 2017 16:46:59 -0800
Subject: [PATCH 3/3] avoid failing scheme check

---
 libraries/entities/src/EntityTree.cpp | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/libraries/entities/src/EntityTree.cpp b/libraries/entities/src/EntityTree.cpp
index a3f685f95f..75fd33bafb 100644
--- a/libraries/entities/src/EntityTree.cpp
+++ b/libraries/entities/src/EntityTree.cpp
@@ -965,15 +965,9 @@ int EntityTree::processEditPacketData(ReceivedMessage& message, const unsigned c
                 for (const auto& whiteListedPrefix : _entityScriptSourceWhitelist) {
                     auto whiteListURL = QUrl::fromUserInput(whiteListedPrefix);
 
-                    if (entityScriptURL.scheme() != whiteListURL.scheme()) {
-                        // isParentOf will be false if the schemes are different, but 
-                    }
-
-                    qDebug() << "Comparing" << entityScriptURL << "to" << whiteListURL;
-                    qDebug() << whiteListURL.isParentOf(entityScriptURL);
-
                     // check if this script URL matches the whitelist domain and, optionally, is beneath the path
-                    if (whiteListURL.isParentOf(entityScriptURL)) {
+                    if (entityScriptURL.host().compare(whiteListURL.host(), Qt::CaseInsensitive) == 0 &&
+                        entityScriptURL.path().startsWith(whiteListURL.path(), Qt::CaseInsensitive)) {
                         passedWhiteList = true;
                         break;
                     }