Prevent accidental file:// usage
nyurik opened this issue · 4 comments
nyurik commented
In some cases when this module is used with unsanitized data (possibly by accident), the ability to access "file://" is a major security issue. Please add a flag to explicitly permit file:// access, which IMO should be false
by default. Also, please provide for an easy way to inject my own URL sanitization function right before that URL is being used. Thanks!
nyurik commented
I added this code right after the case 'file://':
, but i'm not sure this is the way to do it.
if (!Image.enableFileProtocol) {
console.error('file:// protocol is not enabled');
return;
}
nyurik commented
@jieter, I don't think mine is the right approach - my code implies that the user will have to do something like this:
var L = require('leaflet-headless');
GLOBAL.Image.enableFlieProtocol = true;
whereas I think users should be able to do this:
var L = require('leaflet-headless');
L.enableFileProtocol = true;
// or
L.imageUrlSanitizer = function(url) {
url = sanitizeUrl(url);
return url; // could be "falsey", string URL, or a buffer (in case I have the data locally available)
};