Browse Source

print in commands now automatically converts to string, untrusted partials cannot include beyond PWD.

pull/28/head
Jan Černohorský 2 years ago
parent
commit
bc45937d8e
  1. 4
      command.py
  2. 5
      transform.py

4
command.py

@ -68,10 +68,10 @@ def executeCommand(source, element: Element, ctx: Context) -> List[Element]:
if mode == 'elements': if mode == 'elements':
raise SyntaxError("Cannot use `print` and `appendChild` in one command at the same time.") raise SyntaxError("Cannot use `print` and `appendChild` in one command at the same time.")
mode = 'text' mode = 'text'
text += s text += str(s)
def println(s: str=""): def println(s: str=""):
print(s+"\n") print(str(s)+"\n")
def appendChild(e: Element): def appendChild(e: Element):
nonlocal mode, content nonlocal mode, content

5
transform.py

@ -57,6 +57,11 @@ def transform(e: Element, c: Context) -> Element:
if (isinstance(e, Div) and "partial" in e.attributes)\ if (isinstance(e, Div) and "partial" in e.attributes)\
or (isinstance(e, CodeBlock) and "markdown" in e.classes and "group" in e.classes): or (isinstance(e, CodeBlock) and "markdown" in e.classes and "group" in e.classes):
if isinstance(e, Div): if isinstance(e, Div):
if not c.trusted: # If we're in an untrusted context, we shouldn't allow inclusion of files outside the PWD.
full_path = os.path.abspath(c.dir + "/" + e.attributes["partial"])
pwd = os.path.abspath(".")
if os.path.commonpath([full_path, pwd]) != os.path.commonpath([pwd]):
return nullify(e)
text = open(c.dir + "/" + e.attributes["partial"], "r").read() text = open(c.dir + "/" + e.attributes["partial"], "r").read()
path = c.dir + "/" + e.attributes["partial"] path = c.dir + "/" + e.attributes["partial"]
else: else:

Loading…
Cancel
Save