Sanitize more intermediate values.
Frankly, this is almost entirely speculative. I don't see any viable exploits through either of these codepaths. But automated tooling doesn't see the implicit constraints on these values, so might as well do more sanitization.remotes/1693176582716663532/tmp_refs/heads/watchparty
parent
e46c19f95b
commit
803ce06712
|
@ -181,9 +181,9 @@ function checkRepost() {
|
|||
catch(e) {console.log(e)}
|
||||
|
||||
if (data && data["permalink"]) {
|
||||
const permalink = data["permalink"]
|
||||
const permalink = encodeURIComponent(data["permalink"])
|
||||
if (permalink) {
|
||||
system.innerHTML = `<span class='text-danger'>This is a repost of <a href=${permalink}>${permalink}</a></span>`;
|
||||
system.innerHTML = `<span class="text-danger">This is a repost of <a href="${permalink}">${permalink}</a></span>`;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -10,6 +10,7 @@ from .const import *
|
|||
import gevent
|
||||
import imagehash
|
||||
from shutil import copyfile
|
||||
from werkzeug.utils import secure_filename
|
||||
from files.classes.media import *
|
||||
from files.helpers.cloudflare import purge_files_in_cache
|
||||
from files.__main__ import db_session
|
||||
|
@ -36,7 +37,8 @@ def process_files():
|
|||
def process_audio(file):
|
||||
name = f'/audio/{time.time()}'.replace('.','')
|
||||
|
||||
extension = file.filename.split('.')[-1].lower()
|
||||
name_original = secure_filename(file.filename)
|
||||
extension = name_original.split('.')[-1].lower()
|
||||
name = name + '.' + extension
|
||||
|
||||
file.save(name)
|
||||
|
@ -93,7 +95,8 @@ def process_video(file):
|
|||
os.remove(old)
|
||||
abort(413, f"Max video size is {MAX_VIDEO_SIZE_MB} MB ({MAX_VIDEO_SIZE_MB_PATRON} MB for paypigs)")
|
||||
|
||||
extension = file.filename.split('.')[-1].lower()
|
||||
name_original = secure_filename(file.filename)
|
||||
extension = name_original.split('.')[-1].lower()
|
||||
new = old + '.' + extension
|
||||
|
||||
if extension == 'webm':
|
||||
|
|
Loading…
Reference in New Issue