From c5c21da76f758e9c96dc542e5d81f052ac8d943c Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Fri, 24 Jun 2022 19:32:31 +0200
Subject: [PATCH] validate colors

---
 files/helpers/regex.py   |  2 ++
 files/routes/settings.py | 16 +++++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/files/helpers/regex.py b/files/helpers/regex.py
index 64581a025..ff94f92ca 100644
--- a/files/helpers/regex.py
+++ b/files/helpers/regex.py
@@ -92,6 +92,8 @@ twitter_to_nitter_regex = re.compile("https:\/\/twitter.com\/(\w{4,15}(\/status\
 
 reddit_domain_regex = re.compile("(^|\s)https:\/\/(reddit\.com|new\.reddit.com|www\.reddit.com|i\.reddit\.com|redd\.it|libredd\.it|teddit\.net)\/r\/", flags=re.A)
 
+color_regex = re.compile("[a-z0-9]{6}", flags=re.A)
+
 
 def sub_matcher(match, upper=False):
 	if match.group(0).startswith('<'):
diff --git a/files/routes/settings.py b/files/routes/settings.py
index 350e1d2be..f254f39f5 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -341,8 +341,10 @@ def namecolor(v):
 
 	color = request.values.get("color", "").strip().lower()
 	if color.startswith('#'): color = color[1:]
-	if len(color) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
-	if color == '21262c': return render_template("settings_profile.html", v=v, error="This color is not allowed")
+
+	if not color_regex.fullmatch(color):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
+
 	v.namecolor = color
 	g.db.add(v)
 	g.db.commit()
@@ -356,7 +358,10 @@ def themecolor(v):
 
 	themecolor = str(request.values.get("themecolor", "")).strip()
 	if themecolor.startswith('#'): themecolor = themecolor[1:]
-	if len(themecolor) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
+
+	if not color_regex.fullmatch(themecolor):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
+
 	v.themecolor = themecolor
 	g.db.add(v)
 	g.db.commit()
@@ -408,8 +413,9 @@ def titlecolor(v):
 
 	titlecolor = request.values.get("titlecolor", "").strip().lower()
 	if titlecolor.startswith('#'): titlecolor = titlecolor[1:]
-	if len(titlecolor) != 6: return render_template("settings_profile.html", v=v, error="Invalid color code")
-	if titlecolor == '21262c': return render_template("settings_profile.html", v=v, error="This color is not allowed")
+
+	if not color_regex.fullmatch(titlecolor):
+		return render_template("settings_profile.html", v=v, error="Invalid color code")
 	v.titlecolor = titlecolor
 	g.db.add(v)
 	g.db.commit()