Merge pull request #6157 from artragis/fix_security

Correctifs de sécurité Merci à Gustavi pour avoir trouvé les failles ainsi que à artragis (côté zds-site) et à Stalone (côté zmarkdown) pour les avoir corrigées.
zestedesavoir · Sep 5, 2021 · df4f27e · df4f27e
1 parent 3b26ab5
commit df4f27e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 14 deletions.
diff --git a/zds/tutorialv2/publication_utils.py b/zds/tutorialv2/publication_utils.py
@@ -402,11 +402,12 @@ def publish(self, md_file_path, base_name, **kwargs):
             licence_logo = licences["copyright"]
             licence_url = ""
 
-        replacement_image_url = str(settings.MEDIA_ROOT)
-        if not replacement_image_url.endswith("/") and settings.MEDIA_URL.endswith("/"):
+        replacement_image_url = str(settings.MEDIA_ROOT.parent)
+        if not replacement_image_url.endswith("/"):
             replacement_image_url += "/"
-        elif replacement_image_url.endswith("/") and not settings.MEDIA_URL.endswith("/"):
-            replacement_image_url = replacement_image_url[:-1]
+        replaced_media_url = settings.MEDIA_URL
+        if replaced_media_url.startswith("/"):
+            replaced_media_url = replaced_media_url[1:]
         exported = export_content(public_versionned_source, with_text=True)
         # no title to avoid zmd to put it on the final latex
         del exported["title"]
@@ -423,13 +424,13 @@ def publish(self, md_file_path, base_name, **kwargs):
             license_url=licence_url,
             smileys_directory=str(SMILEYS_BASE_PATH / "svg"),
             images_download_dir=str(base_directory / "images"),
-            local_url_to_local_path=[settings.MEDIA_URL, replacement_image_url],
+            local_url_to_local_path=["/", replacement_image_url],
             heading_shift=-1,
         )
         if content == "" and messages:
             raise FailureDuringPublication(f"Markdown was not parsed due to {messages}")
         zmd_class_dir_path = Path(settings.ZDS_APP["content"]["latex_template_repo"])
-
+        content.replace(replacement_image_url + replaced_media_url, replacement_image_url)
         if zmd_class_dir_path.exists() and zmd_class_dir_path.is_dir():
             with contextlib.suppress(FileExistsError):
                 zmd_class_link = base_directory / "zmdocument.cls"

diff --git a/zds/utils/templatetags/emarkdown.py b/zds/utils/templatetags/emarkdown.py
@@ -91,7 +91,7 @@ def log_args():
         return "", {}, []
 
 
-def render_markdown(md_input, *, on_error=None, **kwargs):
+def render_markdown(md_input, *, on_error=None, disable_jsfiddle=True, **kwargs):
     """Render a markdown string.
 
     Returns a tuple ``(rendered_content, metadata)``, where
@@ -102,7 +102,9 @@ def render_markdown(md_input, *, on_error=None, **kwargs):
     (without any technical details).
 
     """
-    content, metadata, messages = _render_markdown_once(md_input, **kwargs)
+    opts = {"disable_jsfiddle": disable_jsfiddle}
+    opts.update(kwargs)
+    content, metadata, messages = _render_markdown_once(md_input, **opts)
     if messages and on_error:
         on_error([m["message"] for m in messages])
     if content is not None:
@@ -145,11 +147,21 @@ def render_markdown_stats(md_input, **kwargs):
 
 @register.filter(name="epub_markdown", needs_autoescape=False)
 def epub_markdown(md_input, image_directory):
-    return emarkdown(
-        md_input,
-        output_format="epub",
-        images_download_dir=image_directory.absolute,
-        local_url_to_local_path=[settings.MEDIA_URL + "galleries/[0-9]+", image_directory.relative],
+    media_root = str(settings.MEDIA_ROOT)
+    if not media_root.endswith("/"):
+        media_root += "/"
+    replaced_media_url = settings.MEDIA_URL
+    if replaced_media_url.startswith("/"):
+        replaced_media_url = replaced_media_url[1:]
+    return (
+        emarkdown(
+            md_input,
+            output_format="epub",
+            images_download_dir=image_directory.absolute,
+            local_url_to_local_path=[settings.MEDIA_URL + "galleries/[0-9]+", image_directory.relative],
+        )
+        .replace('src"/', f'src="{media_root}')
+        .replace(f'src="{media_root}{replaced_media_url}', f'src="{media_root}')
     )
 
 

diff --git a/zmd/package.json b/zmd/package.json
@@ -9,7 +9,7 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "zmarkdown": "10.1.2"
+    "zmarkdown": "10.1.3"
   },
   "engines": {
     "node": ">=8.0.0"