Package: calibre / 6.13.0+repack-2+deb12u4

0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Sun, 28 May 2023 14:03:15 +0530
Subject: HTML Input: Don't add resources that exist outside the folder
 hierarchy rooted at the parent folder of the input HTML file by default

Origin: backport, https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b.patch
Forwarded: not-needed
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-46303

Fix for CVE-2023-46303
---
 src/calibre/ebooks/conversion/plugins/html_input.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/calibre/ebooks/conversion/plugins/html_input.py b/src/calibre/ebooks/conversion/plugins/html_input.py
index ca5b729..eb26b5c 100644
--- a/src/calibre/ebooks/conversion/plugins/html_input.py
+++ b/src/calibre/ebooks/conversion/plugins/html_input.py
@@ -64,6 +64,16 @@ class HTMLInput(InputFormatPlugin):
                 )
         ),
 
+        OptionRecommendation(name='allow_local_files_outside_root',
+            recommended_value=False, level=OptionRecommendation.LOW,
+            help=_('Normally, resources linked to by the HTML file or its children will only be allowed'
+                   ' if they are in a sub-folder of the original HTML file. This option allows including'
+                   ' local files from any location on your computer. This can be a security risk if you'
+                   ' are converting untrusted HTML and expecting to distribute the result of the conversion.'
+                )
+        ),
+
+
     }
 
     def convert(self, stream, opts, file_ext, log,
@@ -76,6 +86,7 @@ class HTMLInput(InputFormatPlugin):
         if hasattr(stream, 'name'):
             basedir = os.path.dirname(stream.name)
             fname = os.path.basename(stream.name)
+        self.root_dir_of_input = os.path.abspath(basedir) + os.sep
 
         if file_ext != 'opf':
             if opts.dont_package:
@@ -250,6 +261,11 @@ class HTMLInput(InputFormatPlugin):
         frag = l.fragment
         if not link:
             return None, None
+        link = os.path.abspath(os.path.realpath(link))
+        if not link.startswith(self.root_dir_of_input):
+            if not self.opts.allow_local_files_outside_root:
+                self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input))
+                return None, None
         return link, frag
 
     def resource_adder(self, link_, base=None):