ignore support ticket attachments with hrefs hosted by anything other than the local 'file' app

2020-06-22 15:00:34 -04:00 · 2020-06-22 15:00:34 -04:00 · d373b9c290
parent a79a5f6a2d
commit d373b9c290
1 changed files with 2 additions and 3 deletions
--- a/www/support/ui.js
+++ b/www/support/ui.js
@ -179,8 +179,6 @@ define([
            }).on('change', function (e) {
                var files = Util.slice(e.target.files);
                files.forEach(function (file) {
-                    // XXX validate that the href is hosted on the same instance
-                    // use relative URLs or compare it against a list or allowed domains?
                    var ev = {};
                    ev.callback = function (data) {
                        var x, a;
@ -321,10 +319,11 @@ define([

        var attachments = (content.attachments || []).map(function (obj) {
            if (!obj || !obj.name || !obj.href) { return; }
+            // only support files explicitly beginning with /file/ so that users can't link outside of the instance
+            if (!/^\/file\//.test(obj.href)) { return; }
            var a = h('a', {
                href: '#'
            }, obj.name);
-            // XXX disallow remote URLs
            $(a).click(function (e) {
                e.preventDefault();
                ctx.common.openURL(obj.href);