From 5035f8b90ae0e8b5a4c01e97e23528271fa94cf5 Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Tue, 2 Jan 2024 20:54:08 +0200
Subject: [PATCH] give error message instead of quietly stripping

---
 files/helpers/sanitize.py |  2 +-
 files/routes/admin.py     | 20 +++++++++++++++-----
 files/routes/awards.py    | 24 ++++++++++++++++--------
 files/routes/holes.py     |  8 ++++++--
 files/routes/reporting.py | 10 ++++++++--
 files/routes/settings.py  | 15 ++++++++++-----
 6 files changed, 56 insertions(+), 23 deletions(-)

diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index ba107fc81..4fb27b3db 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -714,7 +714,7 @@ def filter_emojis_only(title, golden=True, count_emojis=False, obj=None, author=
 	title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https']).replace('\n','')
 
 	if len(title) > POST_TITLE_HTML_LENGTH_LIMIT:
-		abort(400, "Rendered title is too big!")
+		abort(400, "Rendered title is too long!")
 
 	title = title.strip()
 
diff --git a/files/routes/admin.py b/files/routes/admin.py
index 17f5506f9..d421905df 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -845,11 +845,14 @@ def shadowban(user_id, v):
 	if user.admin_level > v.admin_level:
 		abort(403)
 	user.shadowbanned = v.id
-	reason = request.values.get("reason", "")[:256].strip()
+	reason = request.values.get("reason", "").strip()
 
 	if not reason:
 		abort(400, "You need to submit a reason for shadowbanning!")
 
+	if len(reason) > 256:
+		abort(400, "Shadowban reason is too long (max 256 characters)")
+
 	reason = filter_emojis_only(reason)
 
 	if len(reason) > 256:
@@ -910,7 +913,10 @@ def admin_change_flair(user_id, v):
 
 	user = get_account(user_id)
 
-	new_flair = request.values.get("flair")[:256].strip()
+	new_flair = request.values.get("flair", "").strip()
+
+	if len(new_flair) > 256:
+		abort(400, "New flair is too long (max 256 characters)")
 
 	user.flair = new_flair
 	new_flair = filter_emojis_only(new_flair)
@@ -982,14 +988,18 @@ def ban_user(fullname, v):
 	if days < 0:
 		abort(400, "You can't bans people for negative days!")
 
-	reason = request.values.get("reason", "")[:256].strip()
+	reason = request.values.get("reason", "").strip()
 
 	if not reason:
 		abort(400, "You need to submit a reason for banning!")
 
-	reason = filter_emojis_only(reason)
 	if len(reason) > 256:
-		abort(400, "Ban reason too long!")
+		abort(400, "Ban reason is too long (max 256 characters)")
+
+	reason = filter_emojis_only(reason)
+
+	if len(reason) > 256:
+		abort(400, "Rendered ban reason is too long!")
 
 	reason = reason_regex_post.sub(r'<a href="\1">\1</a>', reason)
 	reason = reason_regex_comment.sub(r'<a href="\1#context">\1</a>', reason)
diff --git a/files/routes/awards.py b/files/routes/awards.py
index d691ed208..8ea96fcbc 100644
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@@ -188,7 +188,11 @@ def award_thing(v, thing_type, id):
 
 	g.db.add(award)
 
-	note = request.values.get("note", "").strip()[:200]
+	note = request.values.get("note", "").strip()
+
+	if len(note) > 200:
+		abort(400, "Award note is too long (max 200 characters)")
+
 	award.note = note
 
 	safe_username = f"@{obj.author_name} is"
@@ -400,15 +404,19 @@ def award_thing(v, thing_type, id):
 			obj.chudded = True
 			complies_with_chud(obj)
 	elif kind == "flairlock":
-		new_name = note[:100]
-		if not new_name and author.flairchanged:
+		new_flair = note
+
+		if len(new_flair) > 100:
+			abort(400, "New flair is too long (max 100 characters)")
+
+		if not new_flair and author.flairchanged:
 			author.flairchanged += 86400
 		else:
-			author.flair = new_name
-			new_name = filter_emojis_only(new_name)
-			new_name = censor_slurs_profanities(new_name, None)
-			if len(new_name) > 1000: abort(403)
-			author.flair_html = new_name
+			author.flair = new_flair
+			new_flair = filter_emojis_only(new_flair)
+			new_flair = censor_slurs_profanities(new_flair, None)
+			if len(new_flair) > 1000: abort(403)
+			author.flair_html = new_flair
 			author.flairchanged = int(time.time()) + 86400
 			badge_grant(user=author, badge_id=96)
 	elif kind == "namelock":
diff --git a/files/routes/holes.py b/files/routes/holes.py
index 605715c6f..c01cdfa79 100644
--- a/files/routes/holes.py
+++ b/files/routes/holes.py
@@ -450,11 +450,15 @@ def post_hole_sidebar(v, hole):
 	if not v.mods(hole.name): abort(403)
 	if v.shadowbanned: abort(400)
 
-	hole.sidebar = request.values.get('sidebar', '')[:10000].strip()
+	hole.sidebar = request.values.get('sidebar', '').strip()
+
+	if len(sidebar) > 10000:
+		abort(400, "New sidebar is too long (max 10000 characters)")
+
 	sidebar_html = sanitize(hole.sidebar, blackjack=f"/h/{hole} sidebar")
 
 	if len(sidebar_html) > 20000:
-		abort(400, "Sidebar is too big! (max 20000 characters)")
+		abort(400, "New rendered sidebar is too long!")
 
 	hole.sidebar_html = sidebar_html
 	g.db.add(hole)
diff --git a/files/routes/reporting.py b/files/routes/reporting.py
index a34ac54b2..2cec579cb 100644
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@@ -22,7 +22,10 @@ def report_post(pid, v):
 	reason = request.values.get("reason", "").strip()
 	execute_under_siege(v, post, reason, 'report')
 	execute_blackjack(v, post, reason, 'report')
-	reason = reason[:100]
+
+	if len(reason) > 100:
+		abort(400, "Report reason is too long (max 100 characters)")
+
 	og_flair = reason[1:]
 	reason_html = filter_emojis_only(reason)
 	if len(reason_html) > 350:
@@ -91,7 +94,10 @@ def report_comment(cid, v):
 	reason = request.values.get("reason", "").strip()
 	execute_under_siege(v, comment, reason, 'report')
 	execute_blackjack(v, comment, reason, 'report')
-	reason = reason[:100]
+
+	if len(reason) > 100:
+		abort(400, "Report reason is too long (max 100 characters)")
+
 	reason_html = filter_emojis_only(reason)
 
 	if len(reason_html) > 350: abort(400, "Too long!")
diff --git a/files/routes/settings.py b/files/routes/settings.py
index d8551b4c1..d52dd254b 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -241,17 +241,19 @@ def settings_personal_post(v):
 		if not v.patron:
 			abort(403, f"Signatures are only available to {patron}s!")
 
-		sig = request.values.get("sig")[:200].replace('\n','').replace('\r','')
-
+		sig = request.values.get("sig").replace('\n','').replace('\r','').strip()
 		sig = process_files(request.files, v, sig)
-		sig = sig[:200].strip() # process_files potentially adds characters to the post
+		sig = sig.strip() # process_files potentially adds characters to the post
+
+		if len(sig) > 200:
+			abort(400, "New signature is too long (max 200 characters)")
 
 		sig_html = sanitize(sig, blackjack="signature")
 		if len(sig_html) > 1000:
 			abort(400, "Your sig is too long")
 
 		v.sig = sig
-		v.sig_html=sig_html
+		v.sig_html = sig_html
 		g.db.add(v)
 		return {"message": "Your sig has been updated."}
 
@@ -386,11 +388,14 @@ def settings_personal_post(v):
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
 def filters(v):
-	filters = request.values.get("filters", "")[:1000].strip()
+	filters = request.values.get("filters", "").strip()
 
 	if filters == v.custom_filter_list:
 		abort(400, "You didn't change anything!")
 
+	if len(filters) > 1000:
+		abort(400, "Filters are too long (max 1000 characters)")
+
 	v.custom_filter_list=filters
 	g.db.add(v)
 	return {"message": "Your custom filters have been updated!"}