diff options
| author | zeripath <art27@cantab.net> | 2021-01-20 15:10:50 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-20 23:10:50 +0800 |
| commit | 172229966c9c69305d7b6b9b69552346343fe270 (patch) | |
| tree | 236fc5892fee943d2dc6bd882b423a5eab46264c /modules/markup/html.go | |
| parent | b708968694841cb1df6038eaabb880d0fe59a7f4 (diff) | |
| download | gitea-172229966c9c69305d7b6b9b69552346343fe270.tar.gz gitea-172229966c9c69305d7b6b9b69552346343fe270.zip | |
Prevent panic on fuzzer provided string (#14405)
* Prevent panic on fuzzer provided string
The fuzzer has found that providing a <body> tag with an attribute to
PostProcess causes a panic. This PR removes any rendered html or body
tags from the output.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Placate lint
* placate lint again
Signed-off-by: Andrew Thornton <art27@cantab.net>
* minor cleanup
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/markup/html.go')
| -rw-r--r-- | modules/markup/html.go | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/modules/markup/html.go b/modules/markup/html.go index 9e4b1a3d5d..67aec7371c 100644 --- a/modules/markup/html.go +++ b/modules/markup/html.go @@ -317,9 +317,6 @@ func RenderEmoji( return ctx.postProcess(rawHTML) } -var byteBodyTag = []byte("<body>") -var byteBodyTagClosing = []byte("</body>") - func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { if ctx.procs == nil { ctx.procs = defaultProcessors @@ -327,9 +324,9 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { // give a generous extra 50 bytes res := make([]byte, 0, len(rawHTML)+50) - res = append(res, byteBodyTag...) + res = append(res, "<html><body>"...) res = append(res, rawHTML...) - res = append(res, byteBodyTagClosing...) + res = append(res, "</body></html>"...) // parse the HTML nodes, err := html.ParseFragment(bytes.NewReader(res), nil) @@ -341,6 +338,31 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { ctx.visitNode(node, true) } + newNodes := make([]*html.Node, 0, len(nodes)) + + for _, node := range nodes { + if node.Data == "html" { + node = node.FirstChild + for node != nil && node.Data != "body" { + node = node.NextSibling + } + } + if node == nil { + continue + } + if node.Data == "body" { + child := node.FirstChild + for child != nil { + newNodes = append(newNodes, child) + child = child.NextSibling + } + } else { + newNodes = append(newNodes, node) + } + } + + nodes = newNodes + // Create buffer in which the data will be placed again. We know that the // length will be at least that of res; to spare a few alloc+copy, we // reuse res, resetting its length to 0. @@ -353,12 +375,8 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) { } } - // remove initial parts - because Render creates a whole HTML page. - res = buf.Bytes() - res = res[bytes.Index(res, byteBodyTag)+len(byteBodyTag) : bytes.LastIndex(res, byteBodyTagClosing)] - // Everything done successfully, return parsed data. - return res, nil + return buf.Bytes(), nil } func (ctx *postProcessCtx) visitNode(node *html.Node, visitText bool) { |