Merge branch 'frost' of https://github.com/Aevann1/rDrama into frost

master
Aevann1 2022-08-05 19:22:19 +02:00
commit 66088d5a5b
5 changed files with 25 additions and 22 deletions

View File

@ -998,7 +998,7 @@ approved_embed_hosts = {
def is_site_url(url):
return url and '\\' not in url and (url.startswith('/') or url.startswith(f'{SITE_FULL}/'))
return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))
def is_safe_url(url):
return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts

View File

@ -80,7 +80,7 @@ image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+,:]{5,250}(\.png|\.jp
link_fix_regex = re.compile("(\[.*?\]\()(?!http|/)(.*?\))", flags=re.A)
css_regex = re.compile('https?:\/\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.I|re.A)
css_url_regex = re.compile('url\(\s*[\'"]?(.*?)[\'"]?\s*\)', flags=re.I|re.A)
procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)

View File

@ -458,3 +458,15 @@ def normalize_url(url):
url = giphy_regex.sub(r'\1.webp', url)
return url
def validate_css(css):
if '@import' in css:
return False, "@import statements not allowed."
for i in css_url_regex.finditer(css):
url = i.group(1)
if not is_safe_url(url):
domain = tldextract.extract(url).registered_domain
return False, f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
return True, ""

View File

@ -599,14 +599,9 @@ def settings_profilecss_get(v):
def settings_profilecss(v):
profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
for i in css_regex.finditer(profilecss):
url = i.group(0)
if not is_safe_url(url):
domain = tldextract.extract(url).registered_domain
error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
return render_template("settings_profilecss.html", error=error, v=v)
valid, error = validate_css(profilecss)
if not valid:
return render_template("settings_profilecss.html", error=error, v=v)
v.profilecss = profilecss
g.db.add(v)

View File

@ -352,21 +352,17 @@ def post_sub_sidebar(v, sub):
@is_not_permabanned
def post_sub_css(v, sub):
sub = g.db.query(Sub).filter_by(name=sub.strip().lower()).one_or_none()
if not sub: abort(404)
if not v.mods(sub.name): abort(403)
css = request.values.get('css', '').strip()
if not sub:
abort(404)
if not v.mods(sub.name):
abort(403)
for i in css_regex.finditer(css):
url = i.group(0)
if not is_safe_url(url):
domain = tldextract.extract(url).registered_domain
error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error)
valid, error = validate_css(css)
if not valid:
return render_template('sub/settings.html',
v=v, sidebar=sub.sidebar, sub=sub, error=error)
sub.css = css
g.db.add(sub)