carpathianflorist
/
MarseyWorld
forked from MarseyWorld/MarseyWorld
1
0
Fork 0
Code Pull Requests Activity
21,810 Commits
1 Branch
0 Tags
2.3 GiB
Commit Graph

21810 Commits (5b870f06af54bd49b22daae7a22547ddaac79333)

Author SHA1 Message Date
SneedBot 5b870f06af sneed 2022-12-07 08:16:11 +00:00
Aevann1 a3f1b85e16 fix this https://stupidpol.site/h/programming/post/129189/advent-of-code-day-6/3195992?context=8#context 2022-12-07 09:58:46 +02:00
SneedBot 8e964d5b68 sneed 2022-12-07 07:54:23 +00:00
Aevann1 7d6b5862e4 uncomment commented line lol 2022-12-07 09:53:46 +02:00
Aevann1 3f6d2be5f6 fix chat in midnight theme 2022-12-07 09:52:54 +02:00
Aevann1 14aaed820c boost scrd.app 2022-12-07 09:36:56 +02:00
Aevann1 55125cf217 remove padding 2022-12-07 08:21:13 +02:00
Aevann1 5e87e53335 make poll limit 20 on rdrama and 30 on wpd 2022-12-07 07:30:03 +02:00
SneedBot 17696b5ca2 sneed 2022-12-06 22:09:50 +00:00
justcool393 6dbad04f08 band-aid fix for frozen session issue on signup (#50) 
through some reason or another, people are somehow getting cookies that aren't prepended with a dot.

this is a problem because both sessions at, as best as I can tell, mix so it tries to read from a different cookie than we write to. this essentially "freezes" the session in place. users are unable to login, logout, signup, toggle poor mode, toggle NSFW, etc.

~~this attempts to delete bad session cookies (i.e. cookies with a domain that don't start with a dot).~~

~~we don't do this on "dotless" domains (and by extension localhost) because browser support for setting cookies on FQDNs that only have one dot has tenuous support among browsers anyway).~~

~~this *may* log some people out, but... their days of being able to do stuff on the site were numbered anyway.~~

**edit: as amazing as this thought was, browsers just wipe the entire cookies completely and there's no way to specifically target dotless cookies. for an issue that affects a few users, better to just tell them to clear their cookies. if *this* doesn't work, delete service-worker.js and be done with the whole service worker crap. forever. permanently. this PR also includes some QOL improvements.**

Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: rDrama/rDrama#50
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
 2022-12-06 22:07:12 +00:00
justcool393 c12bf5105f WPD: remove poll limit (#51) 
by request of the wpd mops

Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: rDrama/rDrama#51
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
 2022-12-06 18:24:41 +00:00
Aevann1 6c491b9d11 convert LICENSE to tabs 2022-12-06 15:34:09 +02:00
Snakes 9160a853ec
Remove !YOU!. 
Security mess and stale joke.
 2022-12-05 20:06:04 -05:00
Snakes fe5ffd1bcf
security: sanitize !YOU! in <a href="">. 
Unlike the recent auto-embed exploits which have been patched, this
requires active user action. However our userbase, like all userbases,
contains quite a few retards and phoneposters who don't check links
before clicking.

Example exploit:

    <a href="https://example.com/log?username=!YOU!">Bardfinn Dox</a>
 2022-12-05 19:05:02 -05:00
Snakes 616634158c
Narrow approved_embed_hosts for security. 
Probably will break some peoples' profilecss and irritate the
newsposters, but in light of recent live proven exploits to disclose
user IP & username pairs to remote servers, the broad list of embed
hosts was unsustainable and impossible to prove safe.

We extend is_safe_url to allow whitelisting subdomains, specifically
to solve the s.lain.la open redirect exploit. Also, open media proxies
like external-content.duckduckgo.com were concerning enough, despite
likely being safe, to warrant removal. Anything infrequently used and
difficult to review, or has a reasonable alternative, was also removed.

In general: we want people to be rehosting, and if we want to allow
more external content, we need to run a media proxy. The central issue
is that any user-configurable 302 is a potential disclosure risk, and
Lord knows how many ways there were to get <arbitrarynewssite>.com to
do so. Maybe zero, but the problem is we just don't know.
 2022-12-05 18:57:35 -05:00
SneedBot 112ca2f1e4 sneed 2022-12-05 21:21:28 +00:00
float-trip bca9aff068 Disallow !YOU! in URLs. (#49) 
!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment

https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context

lain.la has a URL shortener that also works to get around embed hosts, fwiw

Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: rDrama/rDrama#49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
 2022-12-05 21:20:59 +00:00
Aevann1 b5b3b9dcc3 fix pin awards 2022-12-05 18:01:13 +02:00
Aevann1 ede58dd886 fix margins 2022-12-05 17:23:41 +02:00
Aevann1 8101e7d91b fix 500 errors 2022-12-05 17:16:11 +02:00
Aevann1 15088e5eef add button to remove current profile background 2022-12-05 17:14:53 +02:00
Aevann1 84ec5f5b46 truncate unnecessary logic 2022-12-05 17:10:15 +02:00
Aevann1 847385ad87 fix https://stupidpol.site/h/changelog/post/128866/changelog-added-profile-walls-profile-views/3188365?context=8#context 2022-12-05 16:51:50 +02:00
SneedBot 4ddbd0117f sneed 2022-12-05 14:38:36 +00:00
Aevann1 2b7f7cef1b fix marking read from push notifs 2022-12-05 16:38:24 +02:00
Aevann1 99c12a74ad only show "upload profile background" if user on desktop or uses transparent theme to prevent confusion 2022-12-05 16:30:55 +02:00
Aevann1 ab7144d94a Revert "only show "upload profile background" if user on desktop or uses transparent theme" 
This reverts commit 7b0de3e79d.
 2022-12-05 16:25:39 +02:00
SneedBot 8d9c7fe635 sneed 2022-12-05 14:22:33 +00:00
Aevann1 7b0de3e79d only show "upload profile background" if user on desktop or uses transparent theme 2022-12-05 16:22:19 +02:00
Aevann1 7f1de57ffe minor log fix 2022-12-05 16:06:11 +02:00
Aevann1 159cb52e46 add looksmax.org to BOOSTED_SITES 2022-12-05 15:59:01 +02:00
Aevann1 4583c3d4eb cosmetic changes 2022-12-05 08:46:04 +02:00
Aevann1 67136ec707 minor style change 2022-12-05 08:23:42 +02:00
Aevann1 c0169d0dab fix voting on profile wall 2022-12-05 08:18:37 +02:00
Aevann1 1fead79a86 fix 2022-12-05 08:15:13 +02:00
Aevann1 9dacb7c307 add teamblind.com to boosted sites 2022-12-05 08:13:11 +02:00
Aevann1 f5ef9f431a fix wall margins 2022-12-05 08:12:46 +02:00
Aevann1 77058d31dc move pcm sidebar image to top 2022-12-05 07:35:05 +02:00
Aevann1 39ad0bd5f8 fix margins 2022-12-05 07:33:32 +02:00
Aevann1 4e4a0e734a margin change 2022-12-05 07:29:44 +02:00
Aevann1 bbc33b9331 edit PCM rules 2022-12-05 07:28:15 +02:00
Aevann 18df70caab allow JL3 to edit rules (#39) 
Co-authored-by: Aevann1 <randomname42029@gmail.com>
Reviewed-on: rDrama/rDrama#39
Co-authored-by: Aevann <aevann@noreply.fsdfsd.net>
Co-committed-by: Aevann <aevann@noreply.fsdfsd.net>
 2022-12-05 05:22:08 +00:00
Aevann1 77c37b0fd2 same as last commit 2022-12-05 07:01:20 +02:00
Aevann1 e7fbf5f5b9 site background shit 2022-12-05 07:00:44 +02:00
Aevann1 ea934e17b9 fix 500 error 2022-12-05 06:57:27 +02:00
Aevann1 57ffc26fc6 grammar + consistency 2022-12-05 06:56:05 +02:00
Aevann1 868fb1024f update carp's badge 2022-12-05 06:37:03 +02:00
Aevann f8aa67fb9a add button on profile to upload profile background (#48) 
Co-authored-by: Aevann1 <randomname42029@gmail.com>
Reviewed-on: rDrama/rDrama#48
Co-authored-by: Aevann <aevann@noreply.fsdfsd.net>
Co-committed-by: Aevann <aevann@noreply.fsdfsd.net>
 2022-12-05 04:16:45 +00:00
SneedBot ef4243f5c0 sneed 2022-12-05 04:12:09 +00:00
Aevann1 87573936e7 disable site background in profiles 2022-12-05 06:05:20 +02:00