Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var SAFE_PROTOCOL_REGEX (#1359)

2025-11-27 20:03:28 +00:00 · 2023-01-29 11:12:06 +01:00
parent d47a25eb6d
commit f8e587c415
6 changed files with 99 additions and 33 deletions
--- a/changedetectionio/forms.py
+++ b/changedetectionio/forms.py
@@ -232,12 +232,17 @@ class validateURL(object):

    def __call__(self, form, field):
        import validators
+
        try:
            validators.url(field.data.strip())
        except validators.ValidationFailure:
            message = field.gettext('\'%s\' is not a valid URL.' % (field.data.strip()))
            raise ValidationError(message)

+        from .model.Watch import is_safe_url
+        if not is_safe_url(field.data):
+            raise ValidationError('Watch protocol is not permitted by SAFE_PROTOCOL_REGEX')
+

 class ValidateListRegex(object):
    """