Merge branch 'frost' of https://github.com/Aevann1/rDrama into frost

master
Aevann1 2022-10-06 03:02:00 +02:00
commit e92da1cacc
6 changed files with 64 additions and 42 deletions

View File

@ -335,7 +335,7 @@ class Submission(Base):
def realbody(self, v, listing=False): def realbody(self, v, listing=False):
if self.club and not (v and (v.paid_dues or v.id == self.author_id)): return f"<p>{CC} ONLY</p>" if self.club and not (v and (v.paid_dues or v.id == self.author_id)): return f"<p>{CC} ONLY</p>"
if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]" if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]"; if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]"
body = self.body_html or "" body = self.body_html or ""

View File

@ -139,13 +139,13 @@ def execute_snappy(post, v):
body += addition body += addition
archive_url(href) archive_url(href)
body = body.strip() body = body.strip()[:POST_BODY_LENGTH_LIMIT]
body_html = sanitize(body) body_html = sanitize(body)
if len(body_html) == 0: if len(body_html) == 0:
return return
if len(body_html) < 40000: if len(body_html) < POST_BODY_HTML_LENGTH_LIMIT:
c = Comment(author_id=SNAPPY_ID, c = Comment(author_id=SNAPPY_ID,
distinguish_level=6, distinguish_level=6,
parent_submission=post.id, parent_submission=post.id,

View File

@ -155,6 +155,11 @@ EMOJI_SRCS = ['files/assets/emojis.json']
PIN_LIMIT = 3 PIN_LIMIT = 3
POST_RATE_LIMIT = '1/second;2/minute;10/hour;50/day' POST_RATE_LIMIT = '1/second;2/minute;10/hour;50/day'
POST_TITLE_LENGTH_LIMIT = 500 # do not make larger than 500 without altering the table
POST_TITLE_HTML_LENGTH_LIMIT = 1500 # do not make larger than 1500 without altering the table
POST_BODY_LENGTH_LIMIT = 20000 # do not make larger than 20000 without altering the table
POST_BODY_HTML_LENGTH_LIMIT = 40000 # do not make larger than 40000 without altering the table
LOGGEDIN_ACTIVE_TIME = 15 * 60 LOGGEDIN_ACTIVE_TIME = 15 * 60
PFP_DEFAULT_MARSEY = True PFP_DEFAULT_MARSEY = True
NOTIFICATION_SPAM_AGE_THRESHOLD = 0.5 * 86400 NOTIFICATION_SPAM_AGE_THRESHOLD = 0.5 * 86400

View File

@ -189,6 +189,19 @@ def with_sigalrm_timeout(timeout: int):
return inner return inner
def sanitize_raw_title(sanitized):
if not sanitized: return ""
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r","").replace("\n", "")
sanitized = sanitized.strip()
return sanitized[:POST_TITLE_LENGTH_LIMIT]
def sanitize_raw_body(sanitized):
if not sanitized: return ""
sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n")
sanitized = sanitized.strip()
return sanitized[:POST_BODY_LENGTH_LIMIT]
@with_sigalrm_timeout(5) @with_sigalrm_timeout(5)
def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False): def sanitize(sanitized, golden=True, limit_pings=0, showmore=True, count_marseys=False, torture=False):
sanitized = sanitized.strip() sanitized = sanitized.strip()
@ -419,10 +432,10 @@ def filter_emojis_only(title, golden=True, count_marseys=False, graceful=False,
title = strikethrough_regex.sub(r'\1<del>\2</del>', title) title = strikethrough_regex.sub(r'\1<del>\2</del>', title)
title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']) title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']).replace('\n','').strip()
if len(title) > 1500 and not graceful: abort(400) if len(title) > POST_TITLE_HTML_LENGTH_LIMIT and not graceful: abort(400)
else: return title.replace('\n','').strip() else: return title
def normalize_url(url): def normalize_url(url):
url = reddit_domain_regex.sub(r'\1https://old.reddit.com/\3/', url) url = reddit_domain_regex.sub(r'\1https://old.reddit.com/\3/', url)

View File

@ -374,11 +374,9 @@ def morecomments(v, cid):
def edit_post(pid, v): def edit_post(pid, v):
p = get_post(pid) p = get_post(pid)
title = request.values.get("title", "").strip().replace('','') title = sanitize_raw_title(request.values.get("title", ""))
body = request.values.get("body", "").strip().replace('','') body = sanitize_raw_body(request.values.get("body", ""))
body = body.replace('\r\n', '\n')[:20000]
if v.id != p.author_id and v.admin_level < 2: if v.id != p.author_id and v.admin_level < 2:
abort(403) abort(403)
@ -389,6 +387,8 @@ def edit_post(pid, v):
elif v.bird and len(body) > 140: elif v.bird and len(body) > 140:
return {"error":"You have to type less than 140 characters!"}, 403 return {"error":"You have to type less than 140 characters!"}, 403
if not title:
return {"error": "Please enter a better title."}, 400
if title != p.title: if title != p.title:
torture = (v.agendaposter and not v.marseyawarded and p.sub != 'chudrama' and v.id == p.author_id) torture = (v.agendaposter and not v.marseyawarded and p.sub != 'chudrama' and v.id == p.author_id)
@ -397,12 +397,11 @@ def edit_post(pid, v):
if v.id == p.author_id and v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html): if v.id == p.author_id and v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
return {"error":"You can only type marseys!"}, 403 return {"error":"You can only type marseys!"}, 403
p.title = title[:500] p.title = title
p.title_html = title_html p.title_html = title_html
body += process_files() body += process_files()
body = body.strip()[:POST_BODY_LENGTH_LIMIT] # process_files() may be adding stuff to the body
body = body.strip()
if body != p.body: if body != p.body:
for i in poll_regex.finditer(body): for i in poll_regex.finditer(body):
@ -440,7 +439,7 @@ def edit_post(pid, v):
g.db.add(v) g.db.add(v)
send_repeatable_notification(CARP_ID, p.permalink) send_repeatable_notification(CARP_ID, p.permalink)
if len(body_html) > 40000: return {"error":"Submission body_html too long! (max 40k characters)"}, 400 if len(body_html) > POST_BODY_HTML_LENGTH_LIMIT: return {"error":f"Submission body_html too long! (max {POST_BODY_HTML_LENGTH_LIMIT} characters)"}, 400
p.body_html = body_html p.body_html = body_html
@ -661,18 +660,24 @@ def submit_post(v, sub=None):
if '\\' in url: abort(400) if '\\' in url: abort(400)
title = request.values.get("title", "").strip()[:500].replace('','') title = sanitize_raw_title(request.values.get("title", ""))
body = request.values.get("body", "").strip().replace('','') body = sanitize_raw_body(request.values.get("body", ""))
body = body.replace('\r\n', '\n')[:20000]
def error(error): def error(error):
if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 403 if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 400
SUBS = [x[0] for x in g.db.query(Sub.name).order_by(Sub.name).all()] SUBS = [x[0] for x in g.db.query(Sub.name).order_by(Sub.name).all()]
return render_template("submit.html", SUBS=SUBS, v=v, error=error, title=title, url=url, body=body), 400 return render_template("submit.html", SUBS=SUBS, v=v, error=error, title=title, url=url, body=body), 400
if not title:
return error("Please enter a better title.")
torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture)
if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
return error("You can only type marseys!")
if len(title_html) > POST_TITLE_HTML_LENGTH_LIMIT:
return error("Rendered title is too big!")
sub = request.values.get("sub", "").lower().replace('/h/','').strip() sub = request.values.get("sub", "").lower().replace('/h/','').strip()
@ -696,15 +701,6 @@ def submit_post(v, sub=None):
return error(f"You must choose a {HOLE_NAME} for your post!") return error(f"You must choose a {HOLE_NAME} for your post!")
if v.is_suspended: return error("You can't perform this action while banned.") if v.is_suspended: return error("You can't perform this action while banned.")
torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
title_html = filter_emojis_only(title, graceful=True, count_marseys=True, torture=torture)
if v.marseyawarded and not marseyaward_title_regex.fullmatch(title_html):
return error("You can only type marseys!")
if len(title_html) > 1500: return error("Rendered title is too big!")
if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')): if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')):
return error("You have to type more than 280 characters!") return error("You have to type more than 280 characters!")
@ -784,16 +780,9 @@ def submit_post(v, sub=None):
embed = str(int(id)) embed = str(int(id))
if not url and not request.values.get("body") and not request.files.get("file") and not request.files.get("file-url"): if not url and not body and not request.files.get("file") and not request.files.get("file-url"):
return error("Please enter a url or some text.") return error("Please enter a url or some text.")
if not title:
return error("Please enter a better title.")
elif len(title) > 500:
return error("There's a 500 character limit for titles.")
dup = g.db.query(Submission).filter( dup = g.db.query(Submission).filter(
Submission.author_id == v.id, Submission.author_id == v.id,
Submission.deleted_utc == 0, Submission.deleted_utc == 0,
@ -868,8 +857,7 @@ def submit_post(v, sub=None):
body = body.replace(i.group(0), "") body = body.replace(i.group(0), "")
body += process_files() body += process_files()
body = body.strip()[:POST_BODY_LENGTH_LIMIT] # process_files() adds content to the body, so we need to re-strip
body = body.strip()
torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama') torture = (v.agendaposter and not v.marseyawarded and sub != 'chudrama')
@ -878,7 +866,7 @@ def submit_post(v, sub=None):
if v.marseyawarded and marseyaward_body_regex.search(body_html): if v.marseyawarded and marseyaward_body_regex.search(body_html):
return error("You can only type marseys!") return error("You can only type marseys!")
if len(body_html) > 40000: return error("Submission body_html too long! (max 40k characters)") if len(body_html) > POST_BODY_HTML_LENGTH_LIMIT: return error(f"Submission body_html too long! (max {POST_BODY_HTML_LENGTH_LIMIT} characters)")
club = False club = False
if FEATURES['COUNTRY_CLUB']: if FEATURES['COUNTRY_CLUB']:
@ -905,10 +893,10 @@ def submit_post(v, sub=None):
app_id=v.client.application.id if v.client else None, app_id=v.client.application.id if v.client else None,
is_bot = is_bot, is_bot = is_bot,
url=url, url=url,
body=body[:20000], body=body,
body_html=body_html, body_html=body_html,
embed_url=embed, embed_url=embed,
title=title[:500], title=title,
title_html=title_html, title_html=title_html,
sub=sub, sub=sub,
ghost=ghost ghost=ghost

File diff suppressed because one or more lines are too long