Merge branch 'frost' of https://github.com/Aevann1/Drama into frost

2022-05-05 23:12:11 +02:00 · 2022-05-05 23:12:11 +02:00 · bb515cb0e8
parent 79f3412aae 1137d56de7
commit bb515cb0e8
3 changed files with 42 additions and 8 deletions
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -781,6 +781,7 @@ slur_regex = re.compile(f"({single_words})(?![^<]*>)", flags=re.I|re.A)
 slur_regex_upper = re.compile(f"({single_words.upper()})(?![^<]*>)", flags=re.A)
 torture_regex = re.compile('(^|\s)(i|me) ', flags=re.I|re.A)
 torture_regex2 = re.compile("(^|\s)i'm ", flags=re.I|re.A)
+torture_regex_exclude = re.compile('^\s*>', flags=re.A)

 def sub_matcher(match):
 	return SLURS[match.group(0).lower()]
@ -795,11 +796,17 @@ def censor_slurs(body, logged_user):
 	return body

 def torture_ap(body, username):
-	for k, l in AJ_REPLACEMENTS.items():
-		body = body.replace(k, l)
-	body = torture_regex.sub(rf'\1@{username} ', body)
-	body = torture_regex2.sub(rf'\1@{username} is ', body)
-	return body
+	lines = body.splitlines(keepends=True)
+
+	for i in range(len(lines)):
+		if torture_regex_exclude.match(lines[i]):
+			continue
+		for k, l in AJ_REPLACEMENTS.items():
+			lines[i] = lines[i].replace(k, l)
+		lines[i] = torture_regex.sub(rf'\1@{username} ', lines[i])
+		lines[i] = torture_regex2.sub(rf'\1@{username} is ', lines[i])
+
+	return ''.join(lines)

 YOUTUBE_KEY = environ.get("YOUTUBE_KEY", "").strip()

@ -864,7 +871,8 @@ approved_embed_hosts = [
 	'deviantart.com',
 	'deviantart.net',
 	'googleapis.com',
-	'bing.com'
+	'bing.com',
+	'typekit.net',
 	]

 hosts = "|".join(approved_embed_hosts).replace('.','\.')
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -1,4 +1,5 @@
 import time
+import re
 from os import remove
 from PIL import Image as IMAGE

@ -520,8 +521,28 @@ def admin_home(v):
 	else: response = requests.get(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/settings/security_level', headers=CF_HEADERS, timeout=5).json()['result']['value']
 	under_attack = response == 'under_attack'

-	return render_template("admin/admin_home.html", v=v, under_attack=under_attack, site_settings=app.config['SETTINGS'])
+	gitref = admin_git_head()
+	
+	return render_template("admin/admin_home.html", v=v, 
+		under_attack=under_attack, 
+		site_settings=app.config['SETTINGS'],
+		gitref=gitref)

+def admin_git_head():
+	short_len = 12
+	# Note: doing zero sanitization. Git branch names are extremely permissive.
+	# However, they forbid '..', so I don't see an obvious dir traversal attack.
+	# Also, a malicious branch name would mean someone already owned the server
+	# or repo, so I think this isn't a weak link.
+	try:
+		with open('.git/HEAD') as head_f:
+			head_txt = head_f.read()
+			head_path = re.match('ref: (refs/.+)', head_txt).group(1)
+			with open('.git/' + head_path) as ref_f:
+				gitref = ref_f.read()[0:short_len]
+	except:
+		return '<unable to read>'
+	return gitref

@app.post("/admin/site_settings/<setting>")
@admin_level_required(3)
--- a/files/templates/admin/admin_home.html
+++ b/files/templates/admin/admin_home.html
@ -85,7 +85,12 @@
 		<label class="custom-control-label" for="under_attack">Under attack mode</label>
 	</div>

-	<button class="btn btn-primary mt-3" onclick="post_toast(this,'/admin/purge_cache');">PURGE CACHE</button>
+	<button class="btn btn-primary mt-3" onclick="post_toast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CACHE</button>
 {% endif %}

+<h4>Server Status</h4>
+<div>
+	Live Revision: <code>{{ gitref }}</code> <br>
+</div>
+
 {% endblock %}