Fixed #2416 - HTML sanitizer blocks email processing because of an endless loop.
This commit is contained in:
Billy Zhou
Thorsten Eckel
parent
cfc1bdbb45
commit
1c55fc0a56
2 changed files with 211 additions and 178 deletions
|
|
@ -1,5 +1,7 @@
|
||||||
class HtmlSanitizer
|
class HtmlSanitizer
|
||||||
LINKABLE_URL_SCHEMES = URI.scheme_list.keys.map(&:downcase) - ['mailto'] + ['tel']
|
LINKABLE_URL_SCHEMES = URI.scheme_list.keys.map(&:downcase) - ['mailto'] + ['tel']
|
||||||
|
PROCESSING_TIMEOUT = 10
|
||||||
|
UNPROCESSABLE_HTML_MSG = 'This message cannot be displayed due to HTML processing issues. Download the raw message below and open it via an Email client if you still wish to view it.'.freeze
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
@ -9,7 +11,8 @@ satinize html string based on whiltelist
|
||||||
|
|
||||||
=end
|
=end
|
||||||
|
|
||||||
def self.strict(string, external = false)
|
def self.strict(string, external = false, timeout: true)
|
||||||
|
Timeout.timeout(timeout ? PROCESSING_TIMEOUT : nil) do
|
||||||
@fqdn = Setting.get('fqdn')
|
@fqdn = Setting.get('fqdn')
|
||||||
|
|
||||||
# config
|
# config
|
||||||
|
|
@ -202,6 +205,9 @@ satinize html string based on whiltelist
|
||||||
|
|
||||||
Loofah.fragment(string).scrub!(scrubber_link).to_s
|
Loofah.fragment(string).scrub!(scrubber_link).to_s
|
||||||
end
|
end
|
||||||
|
rescue Timeout::Error => e
|
||||||
|
UNPROCESSABLE_HTML_MSG
|
||||||
|
end
|
||||||
|
|
||||||
=begin
|
=begin
|
||||||
|
|
||||||
|
|
@ -214,7 +220,8 @@ cleanup html string:
|
||||||
|
|
||||||
=end
|
=end
|
||||||
|
|
||||||
def self.cleanup(string)
|
def self.cleanup(string, timeout: true)
|
||||||
|
Timeout.timeout(timeout ? PROCESSING_TIMEOUT : nil) do
|
||||||
string.gsub!(/<[A-z]:[A-z]>/, '')
|
string.gsub!(/<[A-z]:[A-z]>/, '')
|
||||||
string.gsub!(%r{</[A-z]:[A-z]>}, '')
|
string.gsub!(%r{</[A-z]:[A-z]>}, '')
|
||||||
string.delete!("\t")
|
string.delete!("\t")
|
||||||
|
|
@ -230,6 +237,9 @@ cleanup html string:
|
||||||
string = cleanup_structure(string)
|
string = cleanup_structure(string)
|
||||||
string
|
string
|
||||||
end
|
end
|
||||||
|
rescue Timeout::Error => e
|
||||||
|
UNPROCESSABLE_HTML_MSG
|
||||||
|
end
|
||||||
|
|
||||||
def self.cleanup_replace_tags(string)
|
def self.cleanup_replace_tags(string)
|
||||||
#return string
|
#return string
|
||||||
|
|
|
||||||
|
|
@ -183,4 +183,27 @@ RSpec.describe HtmlSanitizer do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Issue #2416 - html_sanitizer goes into loop for specific content
|
||||||
|
describe '.strict' do
|
||||||
|
context 'with strings that take a long time (>10s) to parse' do
|
||||||
|
before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
|
||||||
|
|
||||||
|
it 'returns a timeout error message for the user' do
|
||||||
|
expect(HtmlSanitizer.strict(+'<img src="/some_one.png">', true))
|
||||||
|
.to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe '.cleanup' do
|
||||||
|
context 'with strings that take a long time (>10s) to parse' do
|
||||||
|
before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
|
||||||
|
|
||||||
|
it 'returns a timeout error message for the user' do
|
||||||
|
expect(HtmlSanitizer.cleanup(+'<img src="/some_one.png">'))
|
||||||
|
.to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue