diff --git a/files/classes/submission.py b/files/classes/submission.py index cedb8594c..d24081541 100644 --- a/files/classes/submission.py +++ b/files/classes/submission.py @@ -478,7 +478,7 @@ class Submission(Base): @property @lazy def is_image(self): - if self.url and (self.url.lower().endswith('.webp') or self.url.lower().endswith('.jpg') or self.url.lower().endswith('.png') or self.url.lower().endswith('.gif') or self.url.lower().endswith('.jpeg') or self.url.lower().endswith('?maxwidth=9999') or self.url.lower().endswith('&fidelity=high')) and embed_check_regex.fullmatch(self.url): + if self.url and (self.url.lower().endswith('.webp') or self.url.lower().endswith('.jpg') or self.url.lower().endswith('.png') or self.url.lower().endswith('.gif') or self.url.lower().endswith('.jpeg') or self.url.lower().endswith('?maxwidth=9999') or self.url.lower().endswith('&fidelity=high')) and (self.url.startswith('/') or self.url.startswith(f'{SITE_FULL}/') or embed_check_regex.fullmatch(self.url)): return True return False diff --git a/files/helpers/const.py b/files/helpers/const.py index edac0a94a..7cf8ff28a 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -12,7 +12,6 @@ SITE_NAME = environ.get("SITE_NAME", '').strip() if SITE == "localhost": SITE_FULL = 'http://' + SITE else: SITE_FULL = 'https://' + SITE -SITE_FULL2 = 'http://' + SITE if SITE == 'pcmemes.net': CC = "SPLASH MOUNTAIN" else: CC = "COUNTRY CLUB" @@ -757,46 +756,53 @@ proxies = {"http":"http://127.0.0.1:18080","https":"http://127.0.0.1:18080"} blackjack = environ.get("BLACKJACK", "").strip() approved_embed_hosts = [ - 'i.imgur.com', - 'i\.ibb\.co', - 'pomf2\.lain\.la', + 'imgur.com', + 'ibb\.co', + 'lain\.la', 'pngfind\.com', - 'i\.kym-cdn\.com', - 'i2\.kym-cdn\.com', - 'i\.redd\.it', - 'cdn\.substack\.com', - 'cdn\.discordapp\.com', - '2\.bp\.blogspot\.com', - 'files\.catbox\.moe', - 'i\.pinimg\.com', + 'kym-cdn\.com', + 'redd\.it', + 'substack\.com', + 'blogspot\.com', + 'catbox\.moe', + 'pinimg\.com', 'kindpng\.com', - 'cdn\.shopify\.com', - 'media\.discordapp\.net', - 'pbs\.twimg\.com', - 'upload\.wikimedia\.org', - 'i0\.wp\.com', + 'shopify\.com', + 'discordapp\.com', + 'discordapp\.net', + 'twimg\.com', + 'wikimedia\.org', + 'wp\.com', + 'wordpress\.com', 'seekpng\.com', - 'i\.dailymail\.co\.uk', - 'de\.catbox\.moe', - 'www\.cdc\.gov', - 'm\.media-amazon\.com', - 'www\.washingtonpost\.com', - 'i\.imgflip\.com', - 'farm2\.static\.flickr\.com', - 'img-9gag-fun\.9cache\.com', - 'i\.ytimg\.com', - 'a57\.foxnews\.com', - 'external-content\.duckduckgo\.com', - 'blogs-images\.forbes\.com', - 'images\.gr-assets\.com', - 'c\.tenor\.com', - 'media\.giphy\.com' + 'dailymail\.co\.uk', + 'cdc\.gov', + 'media-amazon\.com', + 'washingtonpost\.com', + 'imgflip\.com', + 'flickr\.com', + '9cache\.com', + 'ytimg\.com', + 'foxnews\.com', + 'duckduckgo\.com', + 'forbes\.com', + 'gr-assets\.com', + 'tenor\.com', + 'giphy\.com', + 'makeagif\.com', + 'gfycat\.com', + 'tumblr\.com', + 'yarn\.co', + 'gifer\.com', + 'prnt\.sc', + 'staticflickr\.com', + 'kiwifarms\.net' ] hosts = "|".join(approved_embed_hosts) -image_check_regex = re.compile(f'!\[\]\(((?!https:\/\/({hosts})\/).*?)\)', flags=re.A) +image_check_regex = re.compile(f'!\[\]\(((?!https:\/\/([a-z0-9-]\.)*({hosts})\/).*?)\)', flags=re.A) -embed_check_regex = regex.compile(f'(?)https:\/\/({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=regex.A) +embed_check_regex = regex.compile(f'(?)https:\/\/([a-z0-9-]\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=regex.A) -video_regex = regex.compile(f'((?)https:\/\/({hosts})\/[\w:~,()\-.#&\/=?@%;+]*?\.(mp4|webm|mov))', flags=regex.A) \ No newline at end of file +video_regex = regex.compile(f'((?)https:\/\/([a-z0-9-]\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*?\.(mp4|webm|mov))', flags=regex.A) \ No newline at end of file diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 166a8af6b..a251b6426 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -37,7 +37,7 @@ def allowed_attributes(tag, name, value): if tag == 'img': if name in ['src','data-src']: - if value.startswith('/') or embed_check_regex.fullmatch(value): return True + if value.startswith('/') or value.startswith(f'{SITE_FULL}/') or embed_check_regex.fullmatch(value): return True else: return False if name == 'loading' and value == 'lazy': return True @@ -70,7 +70,7 @@ url_re = build_url_re(tlds=TLDS, protocols=['http', 'https']) def callback(attrs, new=False): href = attrs[(None, "href")] - if not href.startswith(SITE_FULL) and not href.startswith('/') and not href.startswith(SITE_FULL2): + if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'): attrs[(None, "target")] = "_blank" attrs[(None, "rel")] = "nofollow noopener noreferrer" diff --git a/files/routes/awards.py b/files/routes/awards.py index b0ce9364f..9e39814e8 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -354,7 +354,7 @@ def award_post(pid, v): g.db.commit() if request.referrer and len(request.referrer) > 1: if request.referrer == f'{SITE_FULL}/submit': return redirect(post.permalink) - elif request.referrer.startswith(SITE_FULL): return redirect(request.referrer) + elif request.referrer.startswith(f'{SITE_FULL}/'): return redirect(request.referrer) return redirect(SITE_FULL) @@ -590,7 +590,7 @@ def award_comment(cid, v): g.db.add(author) g.db.commit() - if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(SITE_FULL): + if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(f'{SITE_FULL}/'): return redirect(request.referrer) return redirect(SITE_FULL) diff --git a/files/routes/errors.py b/files/routes/errors.py index fe19176c1..581c95eab 100644 --- a/files/routes/errors.py +++ b/files/routes/errors.py @@ -60,6 +60,6 @@ def allow_nsfw(): session["over_18"] = int(time.time()) + 3600 redir = request.values.get("redir") if redir: - if redir.startswith(SITE_FULL): return redirect(redir) + if redir.startswith(f'{SITE_FULL}/'): return redirect(redir) if redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}') return redirect('/') \ No newline at end of file diff --git a/files/routes/login.py b/files/routes/login.py index bc059dc36..75ead3905 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -11,10 +11,10 @@ def login_get(v): redir = request.values.get("redirect") if redir: redir = redir.replace("/logged_out", "").strip() - if not redir.startswith(SITE_FULL) and not redir.startswith('/'): redir = None + if not redir.startswith(f'{SITE_FULL}/') and not redir.startswith('/'): redir = None if v and redir: - if redir.startswith(SITE_FULL): return redirect(redir) + if redir.startswith(f'{SITE_FULL}/'): return redirect(redir) elif redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}') return render_template("login.html", failed=False, redirect=redir) @@ -150,10 +150,10 @@ def login_post(): redir = request.values.get("redirect") if redir: redir = redir.replace("/logged_out", "").strip() - if not redir.startswith(SITE_FULL) and not redir.startswith('/'): redir = '/' + if not redir.startswith(f'{SITE_FULL}/') and not redir.startswith('/'): redir = '/' if redir: - if redir.startswith(SITE_FULL): return redirect(redir) + if redir.startswith(f'{SITE_FULL}/'): return redirect(redir) if redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}') return redirect('/') diff --git a/files/routes/subs.py b/files/routes/subs.py index d4edc8714..827360e47 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -472,7 +472,7 @@ def sub_toggle(v): g.db.add(v) g.db.commit() - if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(SITE_FULL): + if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(f'{SITE_FULL}/'): return redirect(request.referrer) return redirect('/')