Merge branch 'frost' of https://github.com/Aevann1/rDrama into frost

2022-08-05 19:22:19 +02:00 · 2022-08-05 19:22:19 +02:00 · 66088d5a5b
parent a75d481f60 8b241a765a
commit 66088d5a5b
5 changed files with 25 additions and 22 deletions
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -998,7 +998,7 @@ approved_embed_hosts = {


 def is_site_url(url):
-	return url and '\\' not in url and (url.startswith('/') or url.startswith(f'{SITE_FULL}/'))
+	return url and '\\' not in url and ((url.startswith('/') and not url.startswith('//')) or url.startswith(f'{SITE_FULL}/'))

 def is_safe_url(url):
 	return is_site_url(url) or tldextract.extract(url).registered_domain in approved_embed_hosts
--- a/files/helpers/regex.py
+++ b/files/helpers/regex.py
@ -80,7 +80,7 @@ image_regex = re.compile("(^|\s)(https:\/\/[\w\-.#&/=\?@%;+,:]{5,250}(\.png|\.jp

 link_fix_regex = re.compile("(\[.*?\]\()(?!http|/)(.*?\))", flags=re.A)

-css_regex = re.compile('https?:\/\/[\w:~,()\-.#&\/=?@%;+]*', flags=re.I|re.A)
+css_url_regex = re.compile('url\(\s*[\'"]?(.*?)[\'"]?\s*\)', flags=re.I|re.A)

 procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)

--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@ -458,3 +458,15 @@ def normalize_url(url):
 	url = giphy_regex.sub(r'\1.webp', url)

 	return url
+
+def validate_css(css):
+	if '@import' in css:
+		return False, "@import statements not allowed."
+
+	for i in css_url_regex.finditer(css):
+		url = i.group(1)
+		if not is_safe_url(url):
+			domain = tldextract.extract(url).registered_domain
+			return False, f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
+
+	return True, ""
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -599,14 +599,9 @@ def settings_profilecss_get(v):
 def settings_profilecss(v):
 	profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]

-
-	for i in css_regex.finditer(profilecss):
-		url = i.group(0)
-		if not is_safe_url(url):
-			domain = tldextract.extract(url).registered_domain
-			error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
-			return render_template("settings_profilecss.html", error=error, v=v)
-
+	valid, error = validate_css(profilecss)
+	if not valid:
+		return render_template("settings_profilecss.html", error=error, v=v)

 	v.profilecss = profilecss
 	g.db.add(v)
--- a/files/routes/subs.py
+++ b/files/routes/subs.py
@ -352,21 +352,17 @@ def post_sub_sidebar(v, sub):
@is_not_permabanned
 def post_sub_css(v, sub):
 	sub = g.db.query(Sub).filter_by(name=sub.strip().lower()).one_or_none()
-	if not sub: abort(404)
-	
-	if not v.mods(sub.name): abort(403)
-
 	css = request.values.get('css', '').strip()

+	if not sub:
+		abort(404)
+	if not v.mods(sub.name):
+		abort(403)

-	for i in css_regex.finditer(css):
-		url = i.group(0)
-		if not is_safe_url(url):
-			domain = tldextract.extract(url).registered_domain
-			error = f"The domain '{domain}' is not allowed, please use one of these domains\n\n{approved_embed_hosts}."
-			return render_template('sub/settings.html', v=v, sidebar=sub.sidebar, sub=sub, error=error)
-
-
+	valid, error = validate_css(css)
+	if not valid:
+		return render_template('sub/settings.html',
+			v=v, sidebar=sub.sidebar, sub=sub, error=error)

 	sub.css = css
 	g.db.add(sub)