Prevent framing and CSS on privileged subreddit pages.

2026-01-26 23:39:11 -05:00 · 2012-03-02 09:50:34 -08:00
parent 5c0cafb391
commit 30d2a51f63
2 changed files with 17 additions and 1 deletions
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -21,7 +21,7 @@
 ################################################################################
 from validator import *
 from pylons.i18n import _, ungettext
-from reddit_base import RedditController, base_listing, paginated_listing
+from reddit_base import RedditController, base_listing, paginated_listing, prevent_framing_and_css
 from r2 import config
 from r2.models import *
 from r2.lib.pages import *
@@ -109,6 +109,7 @@ class FrontController(RedditController):
        else:
            return self.redirect(add_sr('/'))

+    @prevent_framing_and_css()
    @validate(VAdmin(),
              article = VLink('article'))
    def GET_details(self, article):
@@ -382,6 +383,7 @@ class FrontController(RedditController):
        pane = listing.listing()
        return pane

+    @prevent_framing_and_css(allow_cname_frame=True)
    @paginated_listing(max_page_size=500, backend='cassandra')
    @validate(mod=VAccountByName('mod'),
              action=VOneOf('type', ModAction.actions))
@@ -552,15 +554,18 @@ class FrontController(RedditController):
                stylesheet_contents = c.site.stylesheet_contents
            else:
                stylesheet_contents = ''
+            c.allow_styles = True
            pane = SubredditStylesheet(site = c.site,
                                       stylesheet_contents = stylesheet_contents)
        elif location in ('reports', 'spam', 'trials', 'modqueue') and is_moderator:
+            c.allow_styles = True
            pane = self._make_spamlisting(location, num, after, reverse, count)
            if c.user.pref_private_feeds:
                extension_handling = "private"
        elif is_moderator and location == 'traffic':
            pane = RedditTraffic()
        elif is_moderator and location == 'flair':
+            c.allow_styles = True
            pane = FlairPane(num, after, reverse, name, user)
        elif c.user_is_sponsor and location == 'ads':
            pane = RedditAds()
@@ -573,6 +578,7 @@ class FrontController(RedditController):
                          extension_handling = extension_handling).render()

    @base_listing
+    @prevent_framing_and_css(allow_cname_frame=True)
    @validate(location = nop('location'),
              created = VOneOf('created', ('true','false'),
                               default = 'false'),
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -530,6 +530,16 @@ def require_https():
    if not c.secure:
        abort(403)

+def prevent_framing_and_css(allow_cname_frame=False):
+    def wrap(f):
+        def no_funny_business(*args, **kwargs):
+            c.allow_styles = False
+            if not (allow_cname_frame and c.cname and not c.authorized_cname):
+                c.deny_frames = True
+            return f(*args, **kwargs)
+        return no_funny_business
+    return wrap
+
 class MinimalController(BaseController):

    allow_stylesheets = False