Sanitize more intermediate values.
Frankly, this is almost entirely speculative. I don't see any viable exploits through either of these codepaths. But automated tooling doesn't see the implicit constraints on these values, so might as well do more sanitization.remotes/1693176582716663532/tmp_refs/heads/watchparty
parent
e46c19f95b
commit
803ce06712
|
@ -181,9 +181,9 @@ function checkRepost() {
|
||||||
catch(e) {console.log(e)}
|
catch(e) {console.log(e)}
|
||||||
|
|
||||||
if (data && data["permalink"]) {
|
if (data && data["permalink"]) {
|
||||||
const permalink = data["permalink"]
|
const permalink = encodeURIComponent(data["permalink"])
|
||||||
if (permalink) {
|
if (permalink) {
|
||||||
system.innerHTML = `<span class='text-danger'>This is a repost of <a href=${permalink}>${permalink}</a></span>`;
|
system.innerHTML = `<span class="text-danger">This is a repost of <a href="${permalink}">${permalink}</a></span>`;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,7 @@ from .const import *
|
||||||
import gevent
|
import gevent
|
||||||
import imagehash
|
import imagehash
|
||||||
from shutil import copyfile
|
from shutil import copyfile
|
||||||
|
from werkzeug.utils import secure_filename
|
||||||
from files.classes.media import *
|
from files.classes.media import *
|
||||||
from files.helpers.cloudflare import purge_files_in_cache
|
from files.helpers.cloudflare import purge_files_in_cache
|
||||||
from files.__main__ import db_session
|
from files.__main__ import db_session
|
||||||
|
@ -36,7 +37,8 @@ def process_files():
|
||||||
def process_audio(file):
|
def process_audio(file):
|
||||||
name = f'/audio/{time.time()}'.replace('.','')
|
name = f'/audio/{time.time()}'.replace('.','')
|
||||||
|
|
||||||
extension = file.filename.split('.')[-1].lower()
|
name_original = secure_filename(file.filename)
|
||||||
|
extension = name_original.split('.')[-1].lower()
|
||||||
name = name + '.' + extension
|
name = name + '.' + extension
|
||||||
|
|
||||||
file.save(name)
|
file.save(name)
|
||||||
|
@ -93,7 +95,8 @@ def process_video(file):
|
||||||
os.remove(old)
|
os.remove(old)
|
||||||
abort(413, f"Max video size is {MAX_VIDEO_SIZE_MB} MB ({MAX_VIDEO_SIZE_MB_PATRON} MB for paypigs)")
|
abort(413, f"Max video size is {MAX_VIDEO_SIZE_MB} MB ({MAX_VIDEO_SIZE_MB_PATRON} MB for paypigs)")
|
||||||
|
|
||||||
extension = file.filename.split('.')[-1].lower()
|
name_original = secure_filename(file.filename)
|
||||||
|
extension = name_original.split('.')[-1].lower()
|
||||||
new = old + '.' + extension
|
new = old + '.' + extension
|
||||||
|
|
||||||
if extension == 'webm':
|
if extension == 'webm':
|
||||||
|
|
Loading…
Reference in New Issue