jieter/leaflet-headless

Prevent accidental file:// usage

nyurik opened this issue · 4 comments

In some cases when this module is used with unsanitized data (possibly by accident), the ability to access "file://" is a major security issue. Please add a flag to explicitly permit file:// access, which IMO should be false by default. Also, please provide for an easy way to inject my own URL sanitization function right before that URL is being used. Thanks!

I added this code right after the case 'file://':, but i'm not sure this is the way to do it.

        if (!Image.enableFileProtocol) {
            console.error('file:// protocol is not enabled');
            return;
        }

@nyurik can you open a PR adding these functionality?

@jieter, I don't think mine is the right approach - my code implies that the user will have to do something like this:

var L = require('leaflet-headless');
GLOBAL.Image.enableFlieProtocol = true;

whereas I think users should be able to do this:

var L = require('leaflet-headless');
L.enableFileProtocol = true;
// or
L.imageUrlSanitizer = function(url) {
  url = sanitizeUrl(url);
  return url;  // could be "falsey", string URL, or a buffer (in case I have the data locally available)
};

@nyurik any interest in adding something to fix this? I've no personal need for it, so cannot invest the time implementing it. PR's still welcome of course.