CVE-2024-51483 - Fix for limiting access to file:// via source:file:///tmp/file.txt when using webdriver/playwright

2025-12-14 12:06:55 +00:00 · 2024-10-31 22:48:40 +01:00
parent 942625e1fb
commit 26d3a23e05
2 changed files with 8 additions and 4 deletions
--- a/changedetectionio/model/Watch.py
+++ b/changedetectionio/model/Watch.py
@@ -89,6 +89,10 @@ class model(watch_base):

        if ready_url.startswith('source:'):
            ready_url=ready_url.replace('source:', '')
+
+        # Also double check it after any Jinja2 formatting just incase
+        if not is_safe_url(ready_url):
+            return 'DISABLED'
        return ready_url

    def clear_watch(self):