security fix: CP-19: Websites – Create Website

Author: usmannasir

plogical/acl.py

@@ -786,4 +786,14 @@ def checkOwnerProtection(currentACL, owner, child):
         else:
             return 0
 
+    @staticmethod
+    def CheckDomainBlackList(domain):
+        BlackList = ['hotmail.com', 'gmail.com', 'yandex.com', 'yahoo.com', 'localhost']
+
+        for black in BlackList:
+            if domain.endswith(black):
+                return 0
+
+        return 1
+
 

websiteFunctions/website.py

@@ -162,6 +162,11 @@ def submitWebsiteCreation(self, userID=None, data=None):
             if ACLManager.checkOwnerProtection(currentACL, loggedUser, newOwner) == 0:
                 return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
+            if ACLManager.CheckDomainBlackList(domain) == 0:
+                data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Blacklisted domain."}
+                json_data = json.dumps(data_ret)
+                return HttpResponse(json_data)
+
             if not validators.domain(domain):
                 data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Invalid domain."}
                 json_data = json.dumps(data_ret)