stricter security test

2014-08-23 20:21:33 -07:00 · 2014-08-23 20:21:33 -07:00 · 6abbbf00e2
commit 6abbbf00e2
parent ca9e147486
2 changed files with 4 additions and 3 deletions
--- a/src/Archive/archives.json
+++ b/src/Archive/archives.json
@ -87,5 +87,6 @@
  "https": false,
  "software": "foolfuuka",
  "boards": ["t"],
-  "files": ["t"]
+  "files": ["t"],
+  "imagehosts": ["http://archive.mawa.re/"]
 }]
--- a/src/General/Get.coffee
+++ b/src/General/Get.coffee
@ -145,8 +145,8 @@ Get =
        {media} = response
        if media then for key of media when /_link$/.test key
          # Image/thumbnail URLs loaded over HTTP can be modified in transit.
-          # Require them to be HTTP so that no referrer is sent to them from an HTTPS page.
-          delete media[key] unless /^http:\/\//.test media[key]
+          # Require them to be from a known HTTP host so that no referrer is sent to them from an HTTPS page.
+          delete media[key] unless media[key].match(/^(http:\/\/[^\/]+\/)?/)[0] in url.archive.imagehosts
        Get.parseArchivedPost response, boardID, postID, root, context
      return true
    return false