From 0811902ff6849320b19bcb336e748f64a66eb409 Mon Sep 17 00:00:00 2001 From: caryoscelus Date: Tue, 25 Jul 2023 18:59:09 +0000 Subject: [PATCH 1/2] Disable third-party access to 0net server. This previously enabled clearnet sites to detect if user is running 0net instance on their machine as well as to detect which 0net sites are downloaded. Check online at https://riza-committee.github.io/demos/0scan.html Intra-0net version of this is still available at http://127.0.0.1:43110/1ScanCY9fjmjanDt7NwvyNQCL16hqWnVM/ --- src/Ui/UiRequest.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 281a5e5c..8f1e4c18 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -282,13 +282,17 @@ class UiRequest(object): # Send response headers def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]): + ref = self.env.get("HTTP_REFERER") + url = self.getRequestUrl() + if status != 404 and ref and not self.isSameHost(ref, url): + # pretend nothing is here for third-party access + return self.error404() + headers = {} headers["Version"] = "HTTP/1.1" headers["Connection"] = "Keep-Alive" headers["Keep-Alive"] = "max=25, timeout=30" headers["X-Frame-Options"] = "SAMEORIGIN" - if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()): - headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css if noscript: headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline';" @@ -605,7 +609,23 @@ class UiRequest(object): self.server.add_nonces.append(add_nonce) return add_nonce + def isSameHost(self, url_a, url_b): + """Check if urls have the same HOST (to prevent leaking resources to clearnet sites)""" + if not url_a or not url_b: + return False + + url_a = url_a.replace("/raw/", "/") + url_b = url_b.replace("/raw/", "/") + + origin_pattern = "http[s]{0,1}://(.*?/).*" + + origin_a = re.sub(origin_pattern, "\\1", url_a) + origin_b = re.sub(origin_pattern, "\\1", url_b) + + return origin_a == origin_b + def isSameOrigin(self, url_a, url_b): + """Check if 0net origin is the same""" if not url_a or not url_b: return False From f336cd02bd9cdc3893741cd9fa110431e5929ebd Mon Sep 17 00:00:00 2001 From: caryoscelus Date: Tue, 25 Jul 2023 20:55:40 +0000 Subject: [PATCH 2/2] More sophisticated detection of cross-site info leak see previous commit for more info --- src/Ui/UiRequest.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 8f1e4c18..b5d1736e 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -282,9 +282,15 @@ class UiRequest(object): # Send response headers def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]): - ref = self.env.get("HTTP_REFERER") url = self.getRequestUrl() - if status != 404 and ref and not self.isSameHost(ref, url): + referer = self.env.get('HTTP_REFERER') + origin = self.env.get('HTTP_ORIGIN') + fetch_site = self.env.get('HTTP_SEC_FETCH_SITE') + fetch_mode = self.env.get('HTTP_SEC_FETCH_MODE') + not_same_ref = referer and not self.isSameHost(referer, url) + not_same_origin = origin and not self.isSameHost(origin, url) + cross_site_not_navigate = not referer and fetch_site == 'cross-site' and not fetch_mode == 'navigate' + if status != 404 and (not_same_ref or not_same_origin or cross_site_not_navigate): # pretend nothing is here for third-party access return self.error404()