From df2756faa391913cc9c310db19c43c453a076164 Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Wed, 16 Oct 2019 07:03:33 +0530
Subject: [PATCH] Sandboxed network requests must start with book/

---
 src/calibre/gui2/viewer/web_view.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/calibre/gui2/viewer/web_view.py b/src/calibre/gui2/viewer/web_view.py
index ba42a93f74..fba61844d5 100644
--- a/src/calibre/gui2/viewer/web_view.py
+++ b/src/calibre/gui2/viewer/web_view.py
@@ -40,6 +40,7 @@ try:
 except ImportError:
     import sip
 
+SANDBOX_HOST = FAKE_HOST.rpartition('.')[0] + '.sandbox'
 vprefs = JSONConfig('viewer-webengine')
 viewer_config_dir = os.path.join(config_dir, 'viewer')
 vprefs.defaults['session_data'] = {}
@@ -116,17 +117,21 @@ class UrlSchemeHandler(QWebEngineUrlSchemeHandler):
         QWebEngineUrlSchemeHandler.__init__(self, parent)
         self.mathjax_dir = P('mathjax', allow_user_override=False)
         self.mathjax_manifest = None
-        self.allowed_hosts = (FAKE_HOST, FAKE_HOST.rpartition('.')[0] + '.sandbox')
+        self.allowed_hosts = (FAKE_HOST, SANDBOX_HOST)
 
     def requestStarted(self, rq):
         if bytes(rq.requestMethod()) != b'GET':
             rq.fail(rq.RequestDenied)
             return
         url = rq.requestUrl()
-        if url.host() not in self.allowed_hosts or url.scheme() != FAKE_PROTOCOL:
+        host = url.host()
+        if host not in self.allowed_hosts or url.scheme() != FAKE_PROTOCOL:
             rq.fail(rq.UrlNotFound)
             return
         name = url.path()[1:]
+        if host == SANDBOX_HOST and not name.startswith('book/'):
+            rq.fail(rq.UrlNotFound)
+            return
         if name.startswith('book/'):
             name = name.partition('/')[2]
             if name == '__index__':