From 5035f8b90ae0e8b5a4c01e97e23528271fa94cf5 Mon Sep 17 00:00:00 2001 From: Aevann Date: Tue, 2 Jan 2024 20:54:08 +0200 Subject: [PATCH] give error message instead of quietly stripping --- files/helpers/sanitize.py | 2 +- files/routes/admin.py | 20 +++++++++++++++----- files/routes/awards.py | 24 ++++++++++++++++-------- files/routes/holes.py | 8 ++++++-- files/routes/reporting.py | 10 ++++++++-- files/routes/settings.py | 15 ++++++++++----- 6 files changed, 56 insertions(+), 23 deletions(-) diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index ba107fc81..4fb27b3db 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -714,7 +714,7 @@ def filter_emojis_only(title, golden=True, count_emojis=False, obj=None, author= title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']).replace('\n','') if len(title) > POST_TITLE_HTML_LENGTH_LIMIT: - abort(400, "Rendered title is too big!") + abort(400, "Rendered title is too long!") title = title.strip() diff --git a/files/routes/admin.py b/files/routes/admin.py index 17f5506f9..d421905df 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -845,11 +845,14 @@ def shadowban(user_id, v): if user.admin_level > v.admin_level: abort(403) user.shadowbanned = v.id - reason = request.values.get("reason", "")[:256].strip() + reason = request.values.get("reason", "").strip() if not reason: abort(400, "You need to submit a reason for shadowbanning!") + if len(reason) > 256: + abort(400, "Shadowban reason is too long (max 256 characters)") + reason = filter_emojis_only(reason) if len(reason) > 256: @@ -910,7 +913,10 @@ def admin_change_flair(user_id, v): user = get_account(user_id) - new_flair = request.values.get("flair")[:256].strip() + new_flair = request.values.get("flair", "").strip() + + if len(new_flair) > 256: + abort(400, "New flair is too long (max 256 characters)") user.flair = new_flair new_flair = filter_emojis_only(new_flair) @@ -982,14 +988,18 @@ def ban_user(fullname, v): if days < 0: abort(400, "You can't bans people for negative days!") - reason = request.values.get("reason", "")[:256].strip() + reason = request.values.get("reason", "").strip() if not reason: abort(400, "You need to submit a reason for banning!") - reason = filter_emojis_only(reason) if len(reason) > 256: - abort(400, "Ban reason too long!") + abort(400, "Ban reason is too long (max 256 characters)") + + reason = filter_emojis_only(reason) + + if len(reason) > 256: + abort(400, "Rendered ban reason is too long!") reason = reason_regex_post.sub(r'\1', reason) reason = reason_regex_comment.sub(r'\1', reason) diff --git a/files/routes/awards.py b/files/routes/awards.py index d691ed208..8ea96fcbc 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -188,7 +188,11 @@ def award_thing(v, thing_type, id): g.db.add(award) - note = request.values.get("note", "").strip()[:200] + note = request.values.get("note", "").strip() + + if len(note) > 200: + abort(400, "Award note is too long (max 200 characters)") + award.note = note safe_username = f"@{obj.author_name} is" @@ -400,15 +404,19 @@ def award_thing(v, thing_type, id): obj.chudded = True complies_with_chud(obj) elif kind == "flairlock": - new_name = note[:100] - if not new_name and author.flairchanged: + new_flair = note + + if len(new_flair) > 100: + abort(400, "New flair is too long (max 100 characters)") + + if not new_flair and author.flairchanged: author.flairchanged += 86400 else: - author.flair = new_name - new_name = filter_emojis_only(new_name) - new_name = censor_slurs_profanities(new_name, None) - if len(new_name) > 1000: abort(403) - author.flair_html = new_name + author.flair = new_flair + new_flair = filter_emojis_only(new_flair) + new_flair = censor_slurs_profanities(new_flair, None) + if len(new_flair) > 1000: abort(403) + author.flair_html = new_flair author.flairchanged = int(time.time()) + 86400 badge_grant(user=author, badge_id=96) elif kind == "namelock": diff --git a/files/routes/holes.py b/files/routes/holes.py index 605715c6f..c01cdfa79 100644 --- a/files/routes/holes.py +++ b/files/routes/holes.py @@ -450,11 +450,15 @@ def post_hole_sidebar(v, hole): if not v.mods(hole.name): abort(403) if v.shadowbanned: abort(400) - hole.sidebar = request.values.get('sidebar', '')[:10000].strip() + hole.sidebar = request.values.get('sidebar', '').strip() + + if len(sidebar) > 10000: + abort(400, "New sidebar is too long (max 10000 characters)") + sidebar_html = sanitize(hole.sidebar, blackjack=f"/h/{hole} sidebar") if len(sidebar_html) > 20000: - abort(400, "Sidebar is too big! (max 20000 characters)") + abort(400, "New rendered sidebar is too long!") hole.sidebar_html = sidebar_html g.db.add(hole) diff --git a/files/routes/reporting.py b/files/routes/reporting.py index a34ac54b2..2cec579cb 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -22,7 +22,10 @@ def report_post(pid, v): reason = request.values.get("reason", "").strip() execute_under_siege(v, post, reason, 'report') execute_blackjack(v, post, reason, 'report') - reason = reason[:100] + + if len(reason) > 100: + abort(400, "Report reason is too long (max 100 characters)") + og_flair = reason[1:] reason_html = filter_emojis_only(reason) if len(reason_html) > 350: @@ -91,7 +94,10 @@ def report_comment(cid, v): reason = request.values.get("reason", "").strip() execute_under_siege(v, comment, reason, 'report') execute_blackjack(v, comment, reason, 'report') - reason = reason[:100] + + if len(reason) > 100: + abort(400, "Report reason is too long (max 100 characters)") + reason_html = filter_emojis_only(reason) if len(reason_html) > 350: abort(400, "Too long!") diff --git a/files/routes/settings.py b/files/routes/settings.py index d8551b4c1..d52dd254b 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -241,17 +241,19 @@ def settings_personal_post(v): if not v.patron: abort(403, f"Signatures are only available to {patron}s!") - sig = request.values.get("sig")[:200].replace('\n','').replace('\r','') - + sig = request.values.get("sig").replace('\n','').replace('\r','').strip() sig = process_files(request.files, v, sig) - sig = sig[:200].strip() # process_files potentially adds characters to the post + sig = sig.strip() # process_files potentially adds characters to the post + + if len(sig) > 200: + abort(400, "New signature is too long (max 200 characters)") sig_html = sanitize(sig, blackjack="signature") if len(sig_html) > 1000: abort(400, "Your sig is too long") v.sig = sig - v.sig_html=sig_html + v.sig_html = sig_html g.db.add(v) return {"message": "Your sig has been updated."} @@ -386,11 +388,14 @@ def settings_personal_post(v): @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required def filters(v): - filters = request.values.get("filters", "")[:1000].strip() + filters = request.values.get("filters", "").strip() if filters == v.custom_filter_list: abort(400, "You didn't change anything!") + if len(filters) > 1000: + abort(400, "Filters are too long (max 1000 characters)") + v.custom_filter_list=filters g.db.add(v) return {"message": "Your custom filters have been updated!"}