From 553bba5caad7887dafa567628b81c1b5aa3cc994 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 15 Jul 2022 12:45:57 +0100 Subject: [PATCH 1/3] Comment --- daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon.py b/daemon.py index c099fbdcd..b6919db93 100644 --- a/daemon.py +++ b/daemon.py @@ -3624,7 +3624,7 @@ class PubServer(BaseHTTPRequestHandler): onion_domain: str, i2p_domain: str, debug: bool, curr_session, proxy_type: str) -> None: - """Confirms a block + """Confirms a block from the person options screen """ users_path = path.split('/blockconfirm')[0] origin_path_str = http_prefix + '://' + domain_full + users_path From d3f17da4aa8f774b4c6098485e8da0185d1499b3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 16 Jul 2022 14:38:42 +0100 Subject: [PATCH 2/3] Additional osm link format --- maps.py | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/maps.py b/maps.py index b28a842a6..07a86aef7 100644 --- a/maps.py +++ b/maps.py @@ -45,6 +45,42 @@ def _geocoords_from_osm_link(url: str, osm_domain: str) -> (int, float, float): return zoom, latitude, longitude +def _geocoords_from_osmorg_link(url: str) -> (int, float, float): + """Returns geocoordinates from an OSM map link + """ + osm_domain = 'osm.org' + if osm_domain not in url: + return None, None, None + if 'mlat=' not in url: + return None, None, None + if 'mlon=' not in url: + return None, None, None + if 'zoom=' not in url: + return None, None, None + + latitude = url.split('mlat=')[1] + if '&' in latitude: + latitude = latitude.split('&')[0] + if not is_float(latitude): + return None, None, None + + longitude = url.split('mlon=')[1] + if '&' in longitude: + longitude = longitude.split('&')[0] + if not is_float(longitude): + return None, None, None + + zoom = url.split('zoom=')[1] + if '&' in zoom: + zoom = zoom.split('&')[0] + if not zoom.isdigit(): + return None, None, None + zoom = int(zoom) + latitude = float(latitude) + longitude = float(longitude) + return zoom, latitude, longitude + + def _geocoords_from_gmaps_link(url: str) -> (int, float, float): """Returns geocoordinates from a Gmaps link """ @@ -211,6 +247,8 @@ def geocoords_from_map_link(url: str, """ if osm_domain in url: return _geocoords_from_osm_link(url, osm_domain) + if 'osm.org' in url and 'mlat=' in url: + return _geocoords_from_osmorg_link(url) if '.google.co' in url: return _geocoords_from_gmaps_link(url) if '.bing.co' in url: From 14d587a7cf90009d3780838072c1042eea927b57 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 17 Jul 2022 10:38:07 +0100 Subject: [PATCH 3/3] Check summary for dangerous html --- inbox.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inbox.py b/inbox.py index 091c6bbd4..998ee2870 100644 --- a/inbox.py +++ b/inbox.py @@ -2644,6 +2644,12 @@ def _valid_post_content(base_dir: str, nickname: str, domain: str, if summary != valid_content_warning(summary): print('WARN: invalid content warning ' + summary) return False + if dangerous_markup(summary, allow_local_network_access): + if message_json['object'].get('id'): + print('REJECT ARBITRARY HTML: ' + message_json['object']['id']) + print('REJECT ARBITRARY HTML: bad string in summary - ' + + summary) + return False # check for patches before dangeousMarkup, which excludes code if is_git_patch(base_dir, nickname, domain,