-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove domain restrictions on URL protocol imports #5347
base: master
Are you sure you want to change the base?
Conversation
When importing a file via bambustudio://open/?file=bla, the URL is now allowed even if it does not match makerworld, amazonaws.com or aliyuncs.com
@isycat thanks for the patch I am afraid we can not merge it for the security reason Without restricting the source of the URL, anyone could use the URL to pass in something like a Trojan or other types of malware. |
IMO this seems kinda non-issue, maybe give a toggle for the restrictions and say something like "Warning, when this is disabled links from malicious sites may be loaded, proceed at your own risk" when the user goes to disable them? |
Currently, you can just host the malware on a - random s3 bucket or literally any domain or sub domain starting with "makerworld". Examples: If this really is intended to help the user it should be togglable, as suggested above, and check for whitelisted certificates instead of a partial URL check. Anything short of that is effectively just annoying gatekeeping. Let's not pretend it's a security feature. |
yes, you are right, above urls also have risks:) In fact, this security risk is already reported by our customer before on the the previous version using "http://" and "https://" |
This right here, if (boost::starts_with(input_str, "https://makerworld.com/") {
download_url = input_str;
} This is almost certainly a (Misguided) attempt at vendor lock-in. You can show a warning that says " Edit: For example https://makerworld.MalwareDomain.invalid/ImVeryEvil-Malware.stl currently is allowed |
Another reason the "security" argument falls apart, A bad actor can also just (mis)use a FOSS CORS proxy and have it serve https://files.printables.com/media/prints/identifier/stls/otheridentifier/example.stl as https://makerworld.evilproxy.invalid/?https://files.printables.com/media/prints/identifier/stls/otheridentifier/example.stl and that would effectively open it up to allowing anything to be loaded. |
@NanashiTheNameless @isycat keep the original url judge logic currently, let it go on as before(we will refine more these address check later) could you do the modifications? |
"popup a warning dialog when the url doesn't meet the above and if user clicks ok, bambu studio will go on to load it" I approve of this idea, best of both worlds! |
This is a perfect idea, thanks! |
hello I need a website that gives adware please |
What do you mean and how is this relevant? I mean, you can try using |
When importing a file via bambustudio://open/?file=bla, the URL is now allowed even if it does not match makerworld, amazonaws.com or aliyuncs.com