diff --git a/files/routes/admin.py b/files/routes/admin.py index 5d2b98b9c..b4a3b911d 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -751,9 +751,8 @@ def alt_votes_get(v): @limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(PERMS['USER_LINK']) def admin_link_accounts(v): - - u1 = int(request.values.get("u1")) - u2 = int(request.values.get("u2")) + u1 = get_account(request.values.get("u1")).id + u2 = get_account(request.values.get("u2")).id new_alt = Alt( user1=u1, diff --git a/files/routes/asset_submissions.py b/files/routes/asset_submissions.py index bbe444464..96ff43166 100644 --- a/files/routes/asset_submissions.py +++ b/files/routes/asset_submissions.py @@ -266,7 +266,10 @@ if SITE not in ('pcmemes.net', 'watchpeopledie.co'): if not hat_regex.fullmatch(new_name): abort(400, "Invalid name!") if not description_regex.fullmatch(description): abort(400, "Invalid description!") - hat.price = int(request.values.get('price')) + try: + hat.price = int(request.values.get('price')) + except: + abort(400, "Invalid hat price") hat.name = new_name hat.description = description g.db.add(hat) diff --git a/files/routes/giphy.py b/files/routes/giphy.py index 11142c6a1..5adcda9e7 100644 --- a/files/routes/giphy.py +++ b/files/routes/giphy.py @@ -12,7 +12,11 @@ from files.__main__ import app def giphy(v=None, path=None): searchTerm = request.values.get("searchTerm", "").strip() - limit = int(request.values.get("limit", 48)) + limit = 48 + try: + limit = int(request.values.get("limit", 48)) + except: + pass if searchTerm and limit: url = f"https://api.giphy.com/v1/gifs/search?q={searchTerm}&api_key={GIPHY_KEY}&limit={limit}" elif searchTerm and not limit: diff --git a/files/routes/login.py b/files/routes/login.py index 73ddc2766..bb61b0c9c 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -302,7 +302,11 @@ def sign_up_post(v): session.pop("signup_token") - ref_id = int(request.values.get("referred_by", 0)) + ref_id = 0 + try: + ref_id = int(request.values.get("referred_by", 0)) + except: + pass users_count = g.db.query(User).count() if users_count == 4: @@ -409,10 +413,12 @@ def post_forgot(): @app.get("/reset") def get_reset(): - user_id = request.values.get("id") - - timestamp = int(request.values.get("time",0)) + timestamp = 0 + try: + timestamp = int(request.values.get("time",0)) + except: + pass token = request.values.get("token") now = int(time.time()) @@ -448,8 +454,11 @@ def post_reset(v): if v: return redirect('/') user_id = request.values.get("user_id") - - timestamp = int(request.values.get("time")) + timestamp = 0 + try: + timestamp = int(request.values.get("time")) + except: + abort(400) token = request.values.get("token") password = request.values.get("password") @@ -534,11 +543,13 @@ def request_2fa_disable(): @app.get("/reset_2fa") def reset_2fa(): - now=int(time.time()) t = request.values.get("t") if not t: abort(400) - t = int(t) + try: + t = int(t) + except: + abort(400) if now > t+3600*24: return render_template("message.html", diff --git a/files/routes/oauth.py b/files/routes/oauth.py index 3496aa99c..bcab2073a 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -97,8 +97,10 @@ def request_api_keys(v): @limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}') @auth_required def delete_oauth_app(v, aid): - - aid = int(aid) + try: + aid = int(aid) + except: + abort(404) app = g.db.get(OauthApp, aid) if not app: abort(404) @@ -118,8 +120,10 @@ def delete_oauth_app(v, aid): @limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}') @is_not_permabanned def edit_oauth_app(v, aid): - - aid = int(aid) + try: + aid = int(aid) + except: + abort(404) app = g.db.get(OauthApp, aid) if not app: abort(404) diff --git a/files/routes/polls.py b/files/routes/polls.py index 57c22ce9c..387df1e08 100644 --- a/files/routes/polls.py +++ b/files/routes/polls.py @@ -9,13 +9,12 @@ from files.__main__ import app @app.post("/vote/post/option/") @is_not_permabanned def vote_option(option_id, v): - - option_id = int(option_id) - + try: + option_id = int(option_id) + except: + abort(404) option = g.db.get(SubmissionOption, option_id) - if not option: abort(404) - sub = option.post.sub if sub in ('furry','vampire','racist','femboy') and not v.house.lower().startswith(sub): @@ -54,15 +53,13 @@ def vote_option(option_id, v): @app.get("/votes/post/option/") @auth_required def option_votes(option_id, v): - - option_id = int(option_id) - + try: + option_id = int(option_id) + except: + abort(404) option = g.db.get(SubmissionOption, option_id) - if not option: abort(404) - if option.post.ghost: abort(403) - ups = g.db.query(SubmissionOptionVote).filter_by(option_id=option_id).order_by(SubmissionOptionVote.created_utc).all() return render_template("poll_votes.html", @@ -75,15 +72,13 @@ def option_votes(option_id, v): @app.post("/vote/comment/option/") @is_not_permabanned def vote_option_comment(option_id, v): - - option_id = int(option_id) - + try: + option_id = int(option_id) + except: + abort(404) option = g.db.get(CommentOption, option_id) - if not option: abort(404) - sub = option.comment.post.sub - if sub in ('furry','vampire','racist','femboy') and not v.house.lower().startswith(sub): abort(403, f"You need to be a member of House {sub.capitalize()} to vote on polls in /h/{sub}") @@ -111,9 +106,10 @@ def vote_option_comment(option_id, v): @app.get("/votes/comment/option/") @auth_required def option_votes_comment(option_id, v): - - option_id = int(option_id) - + try: + option_id = int(option_id) + except: + abort(404) option = g.db.get(CommentOption, option_id) if not option: abort(404) diff --git a/files/routes/posts.py b/files/routes/posts.py index 406861a41..324e4d23e 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -272,8 +272,9 @@ def post_id(pid, anything=None, v=None, sub=None): def viewmore(v, pid, sort, offset): post = get_post(pid, v=v) if post.club and not (v and (v.paid_dues or v.id == post.author_id)): abort(403) - - offset = int(offset) + try: + offset = int(offset) + except: abort(400) try: ids = set(int(x) for x in request.values.get("ids").split(',')) except: abort(400) diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 509e84af8..fa39a3dcd 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -143,12 +143,10 @@ def flag_comment(cid, v): @limiter.limit("4/second;100/minute;300/hour;2000/day") @admin_level_required(PERMS['FLAGS_REMOVE']) def remove_report_post(v, pid, uid): - try: pid = int(pid) uid = int(uid) except: abort(400) - report = g.db.query(Flag).filter_by(post_id=pid, user_id=uid).one_or_none() if report: @@ -170,10 +168,10 @@ def remove_report_post(v, pid, uid): @limiter.limit("4/second;100/minute;300/hour;2000/day") @admin_level_required(PERMS['FLAGS_REMOVE']) def remove_report_comment(v, cid, uid): - - cid = int(cid) - uid = int(uid) - + try: + cid = int(cid) + uid = int(uid) + except: abort(400) report = g.db.query(CommentFlag).filter_by(comment_id=cid, user_id=uid).one_or_none() if report: diff --git a/files/routes/static.py b/files/routes/static.py index 84422fae6..3ae8bed31 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -169,7 +169,6 @@ def log(v): @app.get("/log/") @auth_required def log_item(id, v): - try: id = int(id) except: abort(404) diff --git a/files/routes/users.py b/files/routes/users.py index 5accc3725..16fc1b262 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -1203,7 +1203,11 @@ def kofi(): id = data['kofi_transaction_id'] created_utc = int(time.mktime(time.strptime(data['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%SZ"))) type = data['type'] - amount = int(float(data['amount'])) + amount = 0 + try: + amount = int(float(data['amount'])) + except: + abort(400, 'invalid amount') email = data['email'] transaction = Transaction(