Unverified Commit 2a493004 authored by
security: avoid possible config setting override
It may be possible for parsed feed data to override configuration that is passed to plugins and other components. Normally, feedparser doesn't send those settings (e.g. output or args) that could potentially lead to remote code execution exploits. But there *is* one setting that overlaps right now: "url". It can't do anything now, because the URL is set *after* the feed is parsed, so it's harmless. But who knows how feedparser may change in the future? As a security precaution, we created a list of "locked" items that are important for us and keep the feed from overriding that.
Showing with 9 additions and 2 deletions