As one would expect, pointless to have a dot at the end of the subject of a very important message (dot)
Were it not for the extraneous dot, the legitimacy of the message would still be in question due to its lack of verbiage uniformization. The verbiage is "verify" everywhere else except for some parts of the code itself. This is egregious. With this single-commit pull request, we erradicate the last of "Validate".
Co-authored-by: mmadeira <marcos_madeira@outlook.com>
Reviewed-on: rDrama/rDrama#54
Co-authored-by: mummified-corroding-granny <mummified-corroding-granny@noreply.fsdfsd.net>
Co-committed-by: mummified-corroding-granny <mummified-corroding-granny@noreply.fsdfsd.net>
through some reason or another, people are somehow getting cookies that aren't prepended with a dot.
this is a problem because both sessions at, as best as I can tell, mix so it tries to read from a different cookie than we write to. this essentially "freezes" the session in place. users are unable to login, logout, signup, toggle poor mode, toggle NSFW, etc.
~~this attempts to delete bad session cookies (i.e. cookies with a domain that don't start with a dot).~~
~~we don't do this on "dotless" domains (and by extension localhost) because browser support for setting cookies on FQDNs that only have one dot has tenuous support among browsers anyway).~~
~~this *may* log some people out, but... their days of being able to do stuff on the site were numbered anyway.~~
**edit: as amazing as this thought was, browsers just wipe the entire cookies completely and there's no way to specifically target dotless cookies. for an issue that affects a few users, better to just tell them to clear their cookies. if *this* doesn't work, delete service-worker.js and be done with the whole service worker crap. forever. permanently. this PR also includes some QOL improvements.**
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: rDrama/rDrama#50
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
Unlike the recent auto-embed exploits which have been patched, this
requires active user action. However our userbase, like all userbases,
contains quite a few retards and phoneposters who don't check links
before clicking.
Example exploit:
<a href="https://example.com/log?username=!YOU!">Bardfinn Dox</a>
Probably will break some peoples' profilecss and irritate the
newsposters, but in light of recent live proven exploits to disclose
user IP & username pairs to remote servers, the broad list of embed
hosts was unsustainable and impossible to prove safe.
We extend is_safe_url to allow whitelisting subdomains, specifically
to solve the s.lain.la open redirect exploit. Also, open media proxies
like external-content.duckduckgo.com were concerning enough, despite
likely being safe, to warrant removal. Anything infrequently used and
difficult to review, or has a reasonable alternative, was also removed.
In general: we want people to be rehosting, and if we want to allow
more external content, we need to run a media proxy. The central issue
is that any user-configurable 302 is a potential disclosure risk, and
Lord knows how many ways there were to get <arbitrarynewssite>.com to
do so. Maybe zero, but the problem is we just don't know.
!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment
https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context
lain.la has a URL shortener that also works to get around embed hosts, fwiw
Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: rDrama/rDrama#49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
- /h/masterbaiters: 1 TS - for gayops
- /h/countryclub: 1000 TS - for anything requiring secrecy and doesnt need critical mass - have to make it a rule that u cant post gayops in /h/countryclub
- /h/chudrama: 5000 TS - for chad+stud posts
EDIT: i removed the /h/masterbaiters gate, but u can bring it back if u want
Co-authored-by: Aevann1 <randomname42029@gmail.com>
Co-authored-by: Snakes <duolsm@outlook.com>
Reviewed-on: rDrama/rDrama#41
Co-authored-by: Aevann <aevann@noreply.fsdfsd.net>
Co-committed-by: Aevann <aevann@noreply.fsdfsd.net>
Hiiiii it's carp! I think this error means that there's a timeout error. And I think that means something took too long to load so it decided not to work at all. If you keep seeing this on the same page <I>but not other pages</I>, then something is probably wrong with that specific function. It may not be called a function, but that sounds right to me. Anyway, <s>ping me and I'll whine to someone smarter to fix it. Don't bother them.</s> <B>After a year and a half of infuriating pings, the new instructions are to quit whining and just wait until it works again oh my god shut UP.</B><BR><BR> Thanks ily <3
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: rDrama/rDrama#36
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
The 500 fixed in 71738b05fc revealed that attempting to access g.v at
all during an error handler can potentially cause its own error.
In particular, html_head L111 accessing v.themecolor errored because
we roll back the database session during 500 handling. There's no good
solution other than specifically not passing v to 500 error pages.
However, in the interest of failing fast and ensuring error handlers
always complete, we instead go back to the previous behavior of not
treating users as logged in for error pages.
also get rid of megathread logic
do the needful and do
```sql
UPDATE submissions SET new=true WHERE title LIKE 'Thread' OR title ILIKE 'megathread';
```
or whatever the proper equivalent is
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: rDrama/rDrama#34
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
Addressing the downvote spamming on WPD. Correctly shows jannies which
users are SB'd, shows all voters (sans SB icons) to SB'd users, and
only shows real voters to normies. SB'd users votes are still tracked
so the icons look to them like they're doing something.