From bc45937d8eab0ecf5038c1587d8c70e3d6f23f5d Mon Sep 17 00:00:00 2001 From: Greenscreener Date: Mon, 20 Feb 2023 00:58:22 +0100 Subject: [PATCH] print in commands now automatically converts to string, untrusted partials cannot include beyond PWD. --- command.py | 4 ++-- transform.py | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/command.py b/command.py index 1128a17..4e89390 100644 --- a/command.py +++ b/command.py @@ -68,10 +68,10 @@ def executeCommand(source, element: Element, ctx: Context) -> List[Element]: if mode == 'elements': raise SyntaxError("Cannot use `print` and `appendChild` in one command at the same time.") mode = 'text' - text += s + text += str(s) def println(s: str=""): - print(s+"\n") + print(str(s)+"\n") def appendChild(e: Element): nonlocal mode, content diff --git a/transform.py b/transform.py index b13f565..c9ada1c 100644 --- a/transform.py +++ b/transform.py @@ -57,6 +57,11 @@ def transform(e: Element, c: Context) -> Element: if (isinstance(e, Div) and "partial" in e.attributes)\ or (isinstance(e, CodeBlock) and "markdown" in e.classes and "group" in e.classes): if isinstance(e, Div): + if not c.trusted: # If we're in an untrusted context, we shouldn't allow inclusion of files outside the PWD. + full_path = os.path.abspath(c.dir + "/" + e.attributes["partial"]) + pwd = os.path.abspath(".") + if os.path.commonpath([full_path, pwd]) != os.path.commonpath([pwd]): + return nullify(e) text = open(c.dir + "/" + e.attributes["partial"], "r").read() path = c.dir + "/" + e.attributes["partial"] else: