Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-07-09 03:04:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Also restrict resources to root dir for txt input

Browse Source
This commit is contained in:
Kovid Goyal 2023-05-28 15:20:58 +05:30
parent d296547799
commit 71547e8a11
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/calibre/ebooks/conversion/plugins/html_input.py
View File

@ -86,7 +86,7 @@ class HTMLInput(InputFormatPlugin):
if hasattr(stream, 'name'): if hasattr(stream, 'name'):
basedir = os.path.dirname(stream.name) basedir = os.path.dirname(stream.name)
fname = os.path.basename(stream.name) fname = os.path.basename(stream.name)
self.root_dir_of_input = os.path.abspath(basedir) + os.sep self.root_dir_of_input = os.path.normcase(os.path.abspath(basedir) + os.sep)
if file_ext != 'opf': if file_ext != 'opf':
if opts.dont_package: if opts.dont_package:
@ -262,7 +262,7 @@ class HTMLInput(InputFormatPlugin):
if not link: if not link:
return None, None return None, None
link = os.path.abspath(os.path.realpath(link)) link = os.path.abspath(os.path.realpath(link))
if not link.startswith(self.root_dir_of_input): if not os.path.normcase(link).startswith(self.root_dir_of_input):
if not self.opts.allow_local_files_outside_root: if not self.opts.allow_local_files_outside_root:
self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input)) self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input))
return None, None return None, None

3
src/calibre/ebooks/conversion/plugins/txt_input.py
View File

@ -107,12 +107,13 @@ class TXTInput(InputFormatPlugin):
from html5_parser import parse from html5_parser import parse
root = parse(html) root = parse(html)
changed = False changed = False
base_dir = os.path.normcase(os.path.abspath(base_dir)) + os.sep
for img in root.xpath('//img[@src]'): for img in root.xpath('//img[@src]'):
src = img.get('src') src = img.get('src')
prefix = src.split(':', 1)[0].lower() prefix = src.split(':', 1)[0].lower()
if src and prefix not in ('file', 'http', 'https', 'ftp') and not os.path.isabs(src): if src and prefix not in ('file', 'http', 'https', 'ftp') and not os.path.isabs(src):
src = os.path.join(base_dir, src) src = os.path.join(base_dir, src)
if os.path.isfile(src) and os.access(src, os.R_OK): if os.path.normcase(src).startswith(base_dir) and os.path.isfile(src) and os.access(src, os.R_OK):
with open(src, 'rb') as f: with open(src, 'rb') as f:
data = f.read() data = f.read()
f = self.shift_file(os.path.basename(src), data) f = self.shift_file(os.path.basename(src), data)