diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index ba107fc81..4fb27b3db 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -714,7 +714,7 @@ def filter_emojis_only(title, golden=True, count_emojis=False, obj=None, author=
title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']).replace('\n','')
if len(title) > POST_TITLE_HTML_LENGTH_LIMIT:
- abort(400, "Rendered title is too big!")
+ abort(400, "Rendered title is too long!")
title = title.strip()
diff --git a/files/routes/admin.py b/files/routes/admin.py
index 17f5506f9..d421905df 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -845,11 +845,14 @@ def shadowban(user_id, v):
if user.admin_level > v.admin_level:
abort(403)
user.shadowbanned = v.id
- reason = request.values.get("reason", "")[:256].strip()
+ reason = request.values.get("reason", "").strip()
if not reason:
abort(400, "You need to submit a reason for shadowbanning!")
+ if len(reason) > 256:
+ abort(400, "Shadowban reason is too long (max 256 characters)")
+
reason = filter_emojis_only(reason)
if len(reason) > 256:
@@ -910,7 +913,10 @@ def admin_change_flair(user_id, v):
user = get_account(user_id)
- new_flair = request.values.get("flair")[:256].strip()
+ new_flair = request.values.get("flair", "").strip()
+
+ if len(new_flair) > 256:
+ abort(400, "New flair is too long (max 256 characters)")
user.flair = new_flair
new_flair = filter_emojis_only(new_flair)
@@ -982,14 +988,18 @@ def ban_user(fullname, v):
if days < 0:
abort(400, "You can't bans people for negative days!")
- reason = request.values.get("reason", "")[:256].strip()
+ reason = request.values.get("reason", "").strip()
if not reason:
abort(400, "You need to submit a reason for banning!")
- reason = filter_emojis_only(reason)
if len(reason) > 256:
- abort(400, "Ban reason too long!")
+ abort(400, "Ban reason is too long (max 256 characters)")
+
+ reason = filter_emojis_only(reason)
+
+ if len(reason) > 256:
+ abort(400, "Rendered ban reason is too long!")
reason = reason_regex_post.sub(r'\1', reason)
reason = reason_regex_comment.sub(r'\1', reason)
diff --git a/files/routes/awards.py b/files/routes/awards.py
index d691ed208..8ea96fcbc 100644
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@@ -188,7 +188,11 @@ def award_thing(v, thing_type, id):
g.db.add(award)
- note = request.values.get("note", "").strip()[:200]
+ note = request.values.get("note", "").strip()
+
+ if len(note) > 200:
+ abort(400, "Award note is too long (max 200 characters)")
+
award.note = note
safe_username = f"@{obj.author_name} is"
@@ -400,15 +404,19 @@ def award_thing(v, thing_type, id):
obj.chudded = True
complies_with_chud(obj)
elif kind == "flairlock":
- new_name = note[:100]
- if not new_name and author.flairchanged:
+ new_flair = note
+
+ if len(new_flair) > 100:
+ abort(400, "New flair is too long (max 100 characters)")
+
+ if not new_flair and author.flairchanged:
author.flairchanged += 86400
else:
- author.flair = new_name
- new_name = filter_emojis_only(new_name)
- new_name = censor_slurs_profanities(new_name, None)
- if len(new_name) > 1000: abort(403)
- author.flair_html = new_name
+ author.flair = new_flair
+ new_flair = filter_emojis_only(new_flair)
+ new_flair = censor_slurs_profanities(new_flair, None)
+ if len(new_flair) > 1000: abort(403)
+ author.flair_html = new_flair
author.flairchanged = int(time.time()) + 86400
badge_grant(user=author, badge_id=96)
elif kind == "namelock":
diff --git a/files/routes/holes.py b/files/routes/holes.py
index 605715c6f..c01cdfa79 100644
--- a/files/routes/holes.py
+++ b/files/routes/holes.py
@@ -450,11 +450,15 @@ def post_hole_sidebar(v, hole):
if not v.mods(hole.name): abort(403)
if v.shadowbanned: abort(400)
- hole.sidebar = request.values.get('sidebar', '')[:10000].strip()
+ hole.sidebar = request.values.get('sidebar', '').strip()
+
+ if len(sidebar) > 10000:
+ abort(400, "New sidebar is too long (max 10000 characters)")
+
sidebar_html = sanitize(hole.sidebar, blackjack=f"/h/{hole} sidebar")
if len(sidebar_html) > 20000:
- abort(400, "Sidebar is too big! (max 20000 characters)")
+ abort(400, "New rendered sidebar is too long!")
hole.sidebar_html = sidebar_html
g.db.add(hole)
diff --git a/files/routes/reporting.py b/files/routes/reporting.py
index a34ac54b2..2cec579cb 100644
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@@ -22,7 +22,10 @@ def report_post(pid, v):
reason = request.values.get("reason", "").strip()
execute_under_siege(v, post, reason, 'report')
execute_blackjack(v, post, reason, 'report')
- reason = reason[:100]
+
+ if len(reason) > 100:
+ abort(400, "Report reason is too long (max 100 characters)")
+
og_flair = reason[1:]
reason_html = filter_emojis_only(reason)
if len(reason_html) > 350:
@@ -91,7 +94,10 @@ def report_comment(cid, v):
reason = request.values.get("reason", "").strip()
execute_under_siege(v, comment, reason, 'report')
execute_blackjack(v, comment, reason, 'report')
- reason = reason[:100]
+
+ if len(reason) > 100:
+ abort(400, "Report reason is too long (max 100 characters)")
+
reason_html = filter_emojis_only(reason)
if len(reason_html) > 350: abort(400, "Too long!")
diff --git a/files/routes/settings.py b/files/routes/settings.py
index d8551b4c1..d52dd254b 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -241,17 +241,19 @@ def settings_personal_post(v):
if not v.patron:
abort(403, f"Signatures are only available to {patron}s!")
- sig = request.values.get("sig")[:200].replace('\n','').replace('\r','')
-
+ sig = request.values.get("sig").replace('\n','').replace('\r','').strip()
sig = process_files(request.files, v, sig)
- sig = sig[:200].strip() # process_files potentially adds characters to the post
+ sig = sig.strip() # process_files potentially adds characters to the post
+
+ if len(sig) > 200:
+ abort(400, "New signature is too long (max 200 characters)")
sig_html = sanitize(sig, blackjack="signature")
if len(sig_html) > 1000:
abort(400, "Your sig is too long")
v.sig = sig
- v.sig_html=sig_html
+ v.sig_html = sig_html
g.db.add(v)
return {"message": "Your sig has been updated."}
@@ -386,11 +388,14 @@ def settings_personal_post(v):
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@auth_required
def filters(v):
- filters = request.values.get("filters", "")[:1000].strip()
+ filters = request.values.get("filters", "").strip()
if filters == v.custom_filter_list:
abort(400, "You didn't change anything!")
+ if len(filters) > 1000:
+ abort(400, "Filters are too long (max 1000 characters)")
+
v.custom_filter_list=filters
g.db.add(v)
return {"message": "Your custom filters have been updated!"}