diff --git a/files/helpers/const.py b/files/helpers/const.py index 17cb4bc39..2e19bcd11 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -805,7 +805,7 @@ approved_embed_hosts = [ hosts = "|".join(approved_embed_hosts).replace('.','\.') -image_check_regex = re.compile(f'!\[\]\(((?!(https:\/\/([a-z0-9-]+\.)*({hosts})\/|\/images\/)).*?)\)', flags=re.A) +image_check_regex = re.compile(f'!\[\]\(((?!(https:\/\/([a-z0-9-]+\.)*({hosts})\/|\/)).*?)\)', flags=re.A) embed_fullmatch_regex = re.compile(f'https:\/\/([a-z0-9-]+\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.A) diff --git a/files/helpers/filters.py b/files/helpers/filters.py deleted file mode 100644 index f6d1ecff8..000000000 --- a/files/helpers/filters.py +++ /dev/null @@ -1,34 +0,0 @@ -from bs4 import BeautifulSoup -from flask import * -from urllib.parse import urlparse -from files.classes import BannedDomain - -def filter_comment_html(html_text): - - soup = BeautifulSoup(html_text, 'lxml') - - links = soup.find_all("a") - - domain_list = set() - - for link in links: - - href = link.get("href") - if not href: continue - - url = urlparse(href) - domain = url.netloc - path = url.path - domain_list.add(domain+path) - - parts = domain.split(".") - for i in range(len(parts)): - new_domain = parts[i] - for j in range(i + 1, len(parts)): - new_domain += "." + parts[j] - domain_list.add(new_domain) - - bans = [x for x in g.db.query(BannedDomain).filter(BannedDomain.domain.in_(list(domain_list))).all()] - - if bans: return bans - else: return [] diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 6965da360..58c6cf456 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -257,6 +257,34 @@ def sanitize(sanitized, alert=False, comment=False, edit=False): + soup = BeautifulSoup(sanitized, 'lxml') + + links = soup.find_all("a") + + domain_list = set() + + for link in links: + + href = link.get("href") + if not href: continue + + url = urlparse(href) + domain = url.netloc + path = url.path + domain_list.add(domain+path) + + parts = domain.split(".") + for i in range(len(parts)): + new_domain = parts[i] + for j in range(i + 1, len(parts)): + new_domain += "." + parts[j] + domain_list.add(new_domain) + + bans = g.db.query(BannedDomain.domain).filter(BannedDomain.domain.in_(list(domain_list))).all() + + if bans: abort(403, description=f"Remove the banned domains {bans} and try again!") + + signal.alarm(0) return sanitized diff --git a/files/routes/comments.py b/files/routes/comments.py index f5d68198d..94e4d5427 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -1,5 +1,4 @@ from files.helpers.wrappers import * -from files.helpers.filters import * from files.helpers.alerts import * from files.helpers.images import * from files.helpers.const import * @@ -323,13 +322,6 @@ def api_comment(v): body_html = sanitize(body, comment=True) - bans = filter_comment_html(body_html) - - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your comment and try again." - if ban.reason: reason += f" {ban.reason}" - return {"error": reason}, 401 if parent_post.id not in ADMIGGERS and '!slots' not in body.lower() and '!blackjack' not in body.lower() and '!wordle' not in body.lower() and AGENDAPOSTER_PHRASE not in body.lower(): existing = g.db.query(Comment.id).filter(Comment.author_id == v.id, @@ -737,16 +729,6 @@ def edit_comment(cid, v): body_html = sanitize(body, edit=True) - bans = filter_comment_html(body_html) - - if bans: - - ban = bans[0] - reason = f"Remove the {ban.domain} link from your comment and try again." - - if ban.reason: reason += f" {ban.reason}" - - return {'error': reason}, 400 if '!slots' not in body.lower() and '!blackjack' not in body.lower() and '!wordle' not in body.lower() and AGENDAPOSTER_PHRASE not in body.lower(): now = int(time.time()) cutoff = now - 60 * 60 * 24 diff --git a/files/routes/errors.py b/files/routes/errors.py index 581c95eab..eeb32ab13 100644 --- a/files/routes/errors.py +++ b/files/routes/errors.py @@ -23,8 +23,16 @@ def error_401(e): @app.errorhandler(403) def error_403(e): - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "403 Forbidden"}, 403 - else: return render_template('errors/403.html', err=True), 403 + + description = e.description + if description == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.": description = '' + + if request.headers.get("Authorization") or request.headers.get("xhr"): + if not description: description = "403 Forbidden" + return {"error": description}, 403 + else: + if not description: description = "YOU AREN'T WELCOME HERE GO AWAY" + return render_template('errors/403.html', description=description, err=True), 403 @app.errorhandler(404) diff --git a/files/routes/posts.py b/files/routes/posts.py index 1ee51bdd2..c5d780dbb 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -3,7 +3,6 @@ import gevent import requests from files.helpers.wrappers import * from files.helpers.sanitize import * -from files.helpers.filters import * from files.helpers.alerts import * from files.helpers.discord import send_discord_message, send_cringetopia_message from files.helpers.const import * @@ -510,14 +509,6 @@ def edit_post(pid, v): if v.id == p.author_id and v.marseyawarded and marseyaward_body_regex.search(body_html): return {"error":"You can only type marseys!"}, 403 - bans = filter_comment_html(body_html) - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your post and try again." - if ban.reason: - reason += f" {ban.reason}" - - return {"error": reason}, 403 p.body = body @@ -1110,12 +1101,7 @@ def submit_post(v, sub=None): if len(body_html) > 40000: return error("Submission body_html too long! (max 40k characters)") - bans = filter_comment_html(body_html) - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your post and try again." - if ban.reason: reason += f" {ban.reason}" - return error(reason) + if request.host == 'rdrama.net' and v.admin_level < 2: club = False else: club = bool(request.values.get("club","")) diff --git a/files/routes/settings.py b/files/routes/settings.py index 3844f4d9c..e1011ea9e 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -1,7 +1,6 @@ from __future__ import unicode_literals from files.helpers.alerts import * from files.helpers.sanitize import * -from files.helpers.filters import filter_comment_html from files.helpers.discord import remove_user, set_nick from files.helpers.const import * from files.mail import * @@ -141,16 +140,6 @@ def settings_profile_post(v): sig = image_regex.sub(r'![](\1)', sig) sig_html = sanitize(sig) - bans = filter_comment_html(sig_html) - - - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your sig and try again." - if ban.reason: - reason += f" {ban.reason}" - - return {"error": reason}, 401 if len(sig_html) > 1000: return render_template("settings_profile.html", @@ -174,13 +163,6 @@ def settings_profile_post(v): friends = image_regex.sub(r'![](\1)', friends) friends_html = sanitize(friends) - bans = filter_comment_html(friends_html) - - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your friends list and try again." - if ban.reason: reason += f" {ban.reason}" - return {"error": reason}, 401 if len(friends_html) > 2000: return render_template("settings_profile.html", @@ -210,13 +192,6 @@ def settings_profile_post(v): enemies = image_regex.sub(r'![](\1)', enemies) enemies_html = sanitize(enemies) - bans = filter_comment_html(enemies_html) - - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your enemies list and try again." - if ban.reason: reason += f" {ban.reason}" - return {"error": reason}, 401 if len(enemies_html) > 2000: return render_template("settings_profile.html", @@ -266,21 +241,12 @@ def settings_profile_post(v): return render_template("settings_profile.html", v=v, error="Image/Video files only."), 400 bio_html = sanitize(bio) - bans = filter_comment_html(bio_html) if len(bio_html) > 10000: return render_template("settings_profile.html", v=v, error="Your bio is too long") - if bans: - ban = bans[0] - reason = f"Remove the {ban.domain} link from your bio and try again." - if ban.reason: - reason += f" {ban.reason}" - - return {"error": reason}, 401 - if len(bio_html) > 10000: abort(400) v.bio = bio[:1500] diff --git a/files/templates/errors/403.html b/files/templates/errors/403.html index bf4589c2e..b8377e5db 100644 --- a/files/templates/errors/403.html +++ b/files/templates/errors/403.html @@ -13,7 +13,7 @@
YOU AREN'T WELCOME HERE GO AWAY
+{{description}}