Sanitize more intermediate values.

Frankly, this is almost entirely speculative. I don't see any viable exploits through either of these codepaths. But automated tooling doesn't see the implicit constraints on these values, so might as well do more sanitization.
2022-11-10 23:17:25 -05:00 · 2022-11-10 23:17:25 -05:00 · 803ce06712
parent e46c19f95b
commit 803ce06712
2 changed files with 7 additions and 4 deletions
--- a/files/assets/js/submit.js
+++ b/files/assets/js/submit.js
@ -181,9 +181,9 @@ function checkRepost() {
 			catch(e) {console.log(e)}

 			if (data && data["permalink"]) {
-				const permalink = data["permalink"]
+				const permalink = encodeURIComponent(data["permalink"])
 				if (permalink) {
-					system.innerHTML = `<span class='text-danger'>This is a repost of <a href=${permalink}>${permalink}</a></span>`;
+					system.innerHTML = `<span class="text-danger">This is a repost of <a href="${permalink}">${permalink}</a></span>`;
 				}
 			}
 		}
--- a/files/helpers/media.py
+++ b/files/helpers/media.py
@ -10,6 +10,7 @@ from .const import *
 import gevent
 import imagehash
 from shutil import copyfile
+from werkzeug.utils import secure_filename
 from files.classes.media import *
 from files.helpers.cloudflare import purge_files_in_cache
 from files.__main__ import db_session
@ -36,7 +37,8 @@ def process_files():
 def process_audio(file):
 	name = f'/audio/{time.time()}'.replace('.','')

-	extension = file.filename.split('.')[-1].lower()
+	name_original = secure_filename(file.filename)
+	extension = name_original.split('.')[-1].lower()
 	name = name + '.' + extension

 	file.save(name)
@ -93,7 +95,8 @@ def process_video(file):
 		os.remove(old)
 		abort(413, f"Max video size is {MAX_VIDEO_SIZE_MB} MB ({MAX_VIDEO_SIZE_MB_PATRON} MB for paypigs)")

-	extension = file.filename.split('.')[-1].lower()
+	name_original = secure_filename(file.filename)
+	extension = name_original.split('.')[-1].lower()
 	new = old + '.' + extension

 	if extension == 'webm':