Commit 0cdee596 authored by Cecylia Bocovich's avatar Cecylia Bocovich
Browse files

Filter user-requested language input

There was an HTML injection attack made possible by the fact that we
were including the unsanitized language inputs in the HTML page
returned to the user. This change filters any user-requested languages
(either from the Accept-Language header or the "lang" parameter) and
only includes languages supported by BridgeDB.
parent fc067e84
......@@ -405,12 +405,17 @@ class TranslatedTemplateResource(CustomErrorHandlingResource, CSPResource):
langs = translations.getLocaleFromHTTPRequest(request)
rtl = translations.usingRTLLang(langs)
template = lookup.get_template(self.template)
rendered = template.render(strings,
if langs:
rendered = template.render(strings,
getSortedLangList(),
rtl=rtl,
lang=langs[0],
langOverride=translations.isLangOverridden(request),
showFaq=self.showFaq)
else:
rendered = template.render(strings,
getSortedLangList(),
showFaq=self.showFaq)
except Exception as err: # pragma: no cover
rendered = replaceErrorPage(request, err)
request.setHeader("Content-Type", "text/html; charset=utf-8")
......@@ -539,13 +544,19 @@ class CaptchaProtectedResource(CustomErrorHandlingResource, CSPResource):
# TODO: this does not work for versions of IE < 8.0
imgstr = b'data:image/jpeg;base64,%s' % base64.b64encode(image)
template = lookup.get_template('captcha.html')
rendered = template.render(strings,
if langs:
rendered = template.render(strings,
getSortedLangList(),
rtl=rtl,
lang=langs[0],
langOverride=translations.isLangOverridden(request),
imgstr=imgstr.decode("utf-8"),
challenge_field=challenge)
else:
rendered = template.render(strings,
getSortedLangList(),
imgstr=imgstr.decode("utf-8"),
challenge_field=challenge)
except Exception as err:
rendered = replaceErrorPage(request, err, 'captcha.html')
......@@ -1084,13 +1095,19 @@ class BridgesResource(CustomErrorHandlingResource, CSPResource):
langs = translations.getLocaleFromHTTPRequest(request)
rtl = translations.usingRTLLang(langs)
template = lookup.get_template('bridges.html')
rendered = template.render(strings,
if langs:
rendered = template.render(strings,
getSortedLangList(),
rtl=rtl,
lang=langs[0],
langOverride=translations.isLangOverridden(request),
answer=bridgeLines,
qrcode=qrcode)
else:
rendered = template.render(strings,
getSortedLangList(),
answer=bridgeLines,
qrcode=qrcode)
except Exception as err:
rendered = replaceErrorPage(request, err)
......
......@@ -94,6 +94,7 @@ def getLocaleFromHTTPRequest(request):
langs = list(map(lambda l: l if isinstance(l, str) else l.decode('utf-8'), langs))
langs = filterRequestedLangs(langs)
installTranslations(langs)
return langs
......@@ -110,6 +111,22 @@ def getLocaleFromPlusAddr(address):
return replyLocale
def filterRequestedLangs(langs):
"""
Filters user-requested languages to only include those supported
by BridgeDB.
:type list
:param langs: A list of user-requested languages for translation
:rtype: list
:returns: All requested languages that are supported by BridgeDB
"""
supported_langs = getSupportedLangs()
valid_langs = list()
for l in langs:
if l in supported_langs:
valid_langs.append(l)
return valid_langs
def installTranslations(langs):
"""Create a ``gettext.translation`` chain for all **langs**.
......@@ -125,11 +142,11 @@ def installTranslations(langs):
"""
try:
language = gettext.translation("bridgedb", localedir=TRANSLATIONS_DIR,
languages=langs, fallback=True)
for lang in langs:
languages=[langs[0]], fallback=True)
for lang in langs[1:]:
language.add_fallback(
gettext.translation("bridgedb", localedir=TRANSLATIONS_DIR,
languages=langs, fallback=True))
languages=[lang], fallback=True))
except IOError as error:
logging.error(str(error))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment