From 965352c8d96c9eae7a6867ff76b0db137d04b0b8 Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sat, 26 Feb 2022 08:05:35 +0100 Subject: [PATCH] Don't allow redirects on cover uploads, catch more addresses which resolve to localhost --- cps/helper.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cps/helper.py b/cps/helper.py index b5495930..c162f7ee 100644 --- a/cps/helper.py +++ b/cps/helper.py @@ -734,10 +734,10 @@ def save_cover_from_url(url, book_path): if not cli.allow_localhost: # 127.0.x.x, localhost, [::1], [::ffff:7f00:1] ip = socket.getaddrinfo(urlparse(url).hostname, 0)[0][4][0] - if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1": + if ip.startswith("127.") or ip.startswith('::ffff:7f') or ip == "::1" or ip == "0.0.0.0" or ip == "::": log.error("Localhost was accessed for cover upload") return False, _("You are not allowed to access localhost for cover uploads") - img = requests.get(url, timeout=(10, 200)) # ToDo: Error Handling + img = requests.get(url, timeout=(10, 200), allow_redirects=False) # ToDo: Error Handling img.raise_for_status() return save_cover(img, book_path) except (socket.gaierror,