Make sure that Markdown rendering really happened, if requested.

This is a security issue because it's where we escape HTML. (imported from commit 10dea1899eb6d7e0e40128ae1a4787abad38fa73)
2012-10-24 14:55:31 -04:00 · 2012-10-24 14:55:31 -04:00 · ab34200648
parent b30b5f396e
commit ab34200648
1 changed files with 16 additions and 2 deletions
--- a/zephyr/views.py
+++ b/zephyr/views.py
@ -368,10 +368,24 @@ def return_messages_immediately(request, user_profile, **kwargs):

    return None

+def send_with_safety_check(response, handler, apply_markdown=True, **kwargs):
+    # Make sure that Markdown rendering really happened, if requested.
+    # This is a security issue because it's where we escape HTML.
+    # c.f. ticket #64
+    #
+    # apply_markdown=True is the fail-safe default.
+    if apply_markdown:
+        for msg in response['messages']:
+            if msg['content_type'] != 'text/html':
+                handler.set_status(500)
+                handler.finish('Internal error: bad message format')
+                return
+    handler.finish(response)
+
 def get_updates_backend(request, user_profile, handler, **kwargs):
    resp = return_messages_immediately(request, user_profile, **kwargs)
    if resp is not None:
-        handler.finish(resp)
+        send_with_safety_check(resp, handler, **kwargs)
        return

    def cb(**cb_kwargs):
@ -382,7 +396,7 @@ def get_updates_backend(request, user_profile, handler, **kwargs):
            res = format_delayed_updates_response(request=request,
                                                  user_profile=user_profile,
                                                  **kwargs)
-            handler.finish(res)
+            send_with_safety_check(res, handler, **kwargs)
        except socket.error:
            pass