Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
diff options
context:
space:
mode:
Diffstat (limited to 'app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch')
-rw-r--r--app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch b/app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
new file mode 100644
index 000000000000..f33fd3345e27
--- /dev/null
+++ b/app-text/calibre/files/0001-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
@@ -0,0 +1,55 @@
+From 57190699030dc6746320e49695a67ce83c62d549 Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Sun, 28 May 2023 14:03:15 +0530
+Subject: [PATCH] HTML Input: Dont add resources that exist outside the folder
+ hierarchy rooted at the parent folder of the input HTML file by default
+
+(cherry picked from commit bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b)
+---
+ .../ebooks/conversion/plugins/html_input.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/html_input.py b/src/calibre/ebooks/conversion/plugins/html_input.py
+index 6f9c2084ea..742f3e0279 100644
+--- a/src/calibre/ebooks/conversion/plugins/html_input.py
++++ b/src/calibre/ebooks/conversion/plugins/html_input.py
+@@ -64,6 +64,16 @@ class HTMLInput(InputFormatPlugin):
+ )
+ ),
+
++ OptionRecommendation(name='allow_local_files_outside_root',
++ recommended_value=False, level=OptionRecommendation.LOW,
++ help=_('Normally, resources linked to by the HTML file or its children will only be allowed'
++ ' if they are in a sub-folder of the original HTML file. This option allows including'
++ ' local files from any location on your computer. This can be a security risk if you'
++ ' are converting untrusted HTML and expecting to distribute the result of the conversion.'
++ )
++ ),
++
++
+ }
+
+ def convert(self, stream, opts, file_ext, log,
+@@ -76,6 +86,7 @@ def convert(self, stream, opts, file_ext, log,
+ if hasattr(stream, 'name'):
+ basedir = os.path.dirname(stream.name)
+ fname = os.path.basename(stream.name)
++ self.root_dir_of_input = os.path.abspath(basedir) + os.sep
+
+ if file_ext != 'opf':
+ if opts.dont_package:
+@@ -250,6 +261,11 @@ def link_to_local_path(self, link_, base=None):
+ frag = l.fragment
+ if not link:
+ return None, None
++ link = os.path.abspath(os.path.realpath(link))
++ if not link.startswith(self.root_dir_of_input):
++ if not self.opts.allow_local_files_outside_root:
++ self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input))
++ return None, None
+ return link, frag
+
+ def resource_adder(self, link_, base=None):
+--
+2.41.0
+