From 3a89718664cb8cce0449d1758eee585ed0d0433c Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Wed, 21 Dec 2016 17:59:00 +0530
Subject: [PATCH] E-book viewer: Prevent javascript in the book from accessing
 files on the computer using XMLHttpRequest. Fixes #1651728 [Private
 bug](https://bugs.launchpad.net/calibre/+bug/1651728)

---
 src/calibre/gui2/tweak_book/preview.py  | 2 ++
 src/calibre/gui2/viewer/documentview.py | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/calibre/gui2/tweak_book/preview.py b/src/calibre/gui2/tweak_book/preview.py
index c7dff003e8..595fb800fd 100644
--- a/src/calibre/gui2/tweak_book/preview.py
+++ b/src/calibre/gui2/tweak_book/preview.py
@@ -145,6 +145,7 @@ class ParseWorker(Thread):
     def is_alive(self):
         return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive())
 
+
 parse_worker = ParseWorker()
 # }}}
 
@@ -280,6 +281,7 @@ class WebPage(QWebPage):
         settings.setAttribute(settings.PrivateBrowsingEnabled, True)
         settings.setAttribute(settings.JavascriptCanOpenWindows, False)
         settings.setAttribute(settings.JavascriptCanAccessClipboard, False)
+        settings.setAttribute(settings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
         settings.setAttribute(settings.LinksIncludedInFocusChain, False)
         settings.setAttribute(settings.DeveloperExtrasEnabled, True)
         settings.setDefaultTextEncoding('utf-8')
diff --git a/src/calibre/gui2/viewer/documentview.py b/src/calibre/gui2/viewer/documentview.py
index d96c1166ca..a45ff8962b 100644
--- a/src/calibre/gui2/viewer/documentview.py
+++ b/src/calibre/gui2/viewer/documentview.py
@@ -53,6 +53,7 @@ def apply_basic_settings(settings):
     settings.setAttribute(QWebSettings.PluginsEnabled, False)
     settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
     settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
+    settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
     # PrivateBrowsing disables console messages
     # settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True)
     settings.setAttribute(QWebSettings.NotificationsEnabled, False)
@@ -1435,5 +1436,3 @@ class DocumentView(QWebView):  # {{{
             self.link_clicked(qurl)
 
 # }}}
-
-