From c3a0cf459e3d90b3b57300e32a22d56ec202d8f1 Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Wed, 1 Sep 2021 14:13:42 +0500
Subject: [PATCH] =?UTF-8?q?security=20fix:=20CP-19:=20Websites=20=E2=80=93?=
 =?UTF-8?q?=20Create=20Website?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plogical/acl.py             | 10 ++++++++++
 websiteFunctions/website.py |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/plogical/acl.py b/plogical/acl.py
index be7e1be2e..bf0367227 100644
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -786,4 +786,14 @@ class ACLManager:
         else:
             return 0
 
+    @staticmethod
+    def CheckDomainBlackList(domain):
+        BlackList = ['hotmail.com', 'gmail.com', 'yandex.com', 'yahoo.com', 'localhost']
+
+        for black in BlackList:
+            if domain.endswith(black):
+                return 0
+
+        return 1
+
 
diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py
index ecb0e3cd2..b8c76250c 100755
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -162,6 +162,11 @@ class WebsiteManager:
             if ACLManager.checkOwnerProtection(currentACL, loggedUser, newOwner) == 0:
                 return ACLManager.loadErrorJson('createWebSiteStatus', 0)
 
+            if ACLManager.CheckDomainBlackList(domain) == 0:
+                data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Blacklisted domain."}
+                json_data = json.dumps(data_ret)
+                return HttpResponse(json_data)
+
             if not validators.domain(domain):
                 data_ret = {'status': 0, 'createWebSiteStatus': 0, 'error_message': "Invalid domain."}
                 json_data = json.dumps(data_ret)