From 8a146e045e23f8b506dafdd58f0f5ecb118e44c6 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 7 Sep 2022 19:55:48 +0100 Subject: [PATCH 01/12] Optional actor spam filter --- person.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/person.py b/person.py index 7285d9c6e..bed19ccca 100644 --- a/person.py +++ b/person.py @@ -1776,6 +1776,12 @@ def valid_sending_actor(session, base_dir: str, if not actor_json.get('preferredUsername'): print('REJECT: no preferredUsername within actor ' + str(actor_json)) return False + + actor_spam_filter_filename = \ + acct_dir(base_dir, nickname, domain) + '/.reject_spam_actors' + if not os.path.isfile(actor_spam_filter_filename): + return True + # does the actor have a bio ? if not unit_test: bio_str = '' From 64d414357db924744980ae7bfdc6aa07f7ac9f3e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 10:41:43 +0100 Subject: [PATCH 02/12] Check the string length of content-length --- daemon.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/daemon.py b/daemon.py index 1647cd26b..3b3a51936 100644 --- a/daemon.py +++ b/daemon.py @@ -20361,13 +20361,28 @@ class PubServer(BaseHTTPRequestHandler): '_POST', 'check path', self.server.debug) + is_media_content = False + if self.headers['Content-type'].startswith('image/') or \ + self.headers['Content-type'].startswith('video/') or \ + self.headers['Content-type'].startswith('audio/'): + is_media_content = True + + # check that the content length string is not too long + if isinstance(self.headers['Content-length'], str): + if not is_media_content: + max_content_size = self.server.maxMessageLength + else: + max_content_size = self.server.maxMediaSize + if len(self.headers['Content-length']) > max_content_size: + self._400() + self.server.postreq_busy = False + return + # read the message and convert it into a python dictionary length = int(self.headers['Content-length']) if self.server.debug: print('DEBUG: content-length: ' + str(length)) - if not self.headers['Content-type'].startswith('image/') and \ - not self.headers['Content-type'].startswith('video/') and \ - not self.headers['Content-type'].startswith('audio/'): + if not is_media_content: if length > self.server.maxMessageLength: print('Maximum message length exceeded ' + str(length)) self._400() From 0aed7b03ea53f0b636b51b3bb944a14609d161b1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 11:00:24 +0100 Subject: [PATCH 03/12] Check string length of page numbers --- daemon.py | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/daemon.py b/daemon.py index 3b3a51936..3ea600b9f 100644 --- a/daemon.py +++ b/daemon.py @@ -3887,6 +3887,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('/searchhandle?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) path = path.split('?page=')[0] @@ -4442,6 +4444,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) path = path.split('?page=')[0] @@ -4765,6 +4769,8 @@ class PubServer(BaseHTTPRequestHandler): remove_post_confirm_params.split('pageNumber=')[1] if '&' in page_number_str: page_number_str = page_number_str.split('&')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) year_str = None @@ -7901,6 +7907,8 @@ class PubServer(BaseHTTPRequestHandler): options_profile_url = \ '/users/' + options_profile_url + '/avatar.' + ext back_to_path = 'moderation' + if len(options_page_number) > 5: + options_page_number = "1" if options_page_number.isdigit(): page_number = int(options_page_number) options_link = None @@ -8401,6 +8409,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) hashtag = path.split('/tags/')[1] @@ -8563,6 +8573,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -8743,6 +8755,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9093,6 +9107,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9287,6 +9303,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9472,6 +9490,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9686,6 +9706,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9885,6 +9907,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -9989,6 +10013,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -10136,6 +10162,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) timeline_str = 'inbox' @@ -10278,6 +10306,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) delete_url = path.split('?delete=')[1] @@ -10400,6 +10430,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) actor = \ @@ -10526,6 +10558,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) actor = \ @@ -11653,6 +11687,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -11822,6 +11858,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -11982,6 +12020,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12140,6 +12180,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12295,6 +12337,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12452,6 +12496,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12614,6 +12660,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12765,6 +12813,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12858,6 +12908,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -12965,6 +13017,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -13119,6 +13173,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -13260,6 +13316,8 @@ class PubServer(BaseHTTPRequestHandler): if '?page=' in nickname: page_number = nickname.split('?page=')[1] nickname = nickname.split('?page=')[0] + if len(page_number) > 5: + page_number = "1" if page_number.isdigit(): page_number = int(page_number) else: @@ -13413,6 +13471,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) search_path = path.split('?page=')[0] @@ -13543,6 +13603,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) search_path = path.split('?page=')[0] @@ -13676,6 +13738,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = path.split('?page=')[1] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) search_path = path.split('?page=')[0] @@ -14045,6 +14109,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) if page_number < 1: @@ -17551,7 +17617,9 @@ class PubServer(BaseHTTPRequestHandler): if reply_handle not in reply_to_list: reply_to_list.append(reply_handle) if ment.startswith('page='): - reply_page_str = ment.replace('page=', '') + reply_page_str = ment.replace('page=', '') + if len(reply_page_str) > 5: + reply_page_str = "1" if reply_page_str.isdigit(): reply_page_number = int(reply_page_str) # if m.startswith('actor='): @@ -17573,6 +17641,8 @@ class PubServer(BaseHTTPRequestHandler): reply_to_list.append(reply_handle) if ment.startswith('page='): reply_page_str = ment.replace('page=', '') + if len(reply_page_str) > 5: + reply_page_str = "1" if reply_page_str.isdigit(): reply_page_number = int(reply_page_str) in_reply_to_url = mentions_list[0] @@ -17594,6 +17664,8 @@ class PubServer(BaseHTTPRequestHandler): reply_to_list.append(reply_handle) if ment.startswith('page='): reply_page_str = ment.replace('page=', '') + if len(reply_page_str) > 5: + reply_page_str = "1" if reply_page_str.isdigit(): reply_page_number = int(reply_page_str) # if m.startswith('actor='): @@ -17625,6 +17697,8 @@ class PubServer(BaseHTTPRequestHandler): reply_to_list.append(reply_handle) elif ment.startswith('page='): reply_page_str = ment.replace('page=', '') + if len(reply_page_str) > 5: + reply_page_str = "1" if reply_page_str.isdigit(): reply_page_number = int(reply_page_str) elif ment.startswith('category='): @@ -19484,6 +19558,8 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = page_number_str.split('?')[0] if '#' in page_number_str: page_number_str = page_number_str.split('#')[0] + if len(page_number_str) > 5: + page_number_str = "1" if page_number_str.isdigit(): page_number = int(page_number_str) path = path.split('?page=')[0] From 0baec75b6818cd45a7855c9f3e6fb4c27746a11b Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 11:34:12 +0100 Subject: [PATCH 04/12] Additional checking of digit string lengths --- daemon.py | 2 +- desktop_client.py | 36 ++++++++++++++++++++++++++++++++++++ follow.py | 2 ++ person.py | 2 ++ shares.py | 2 ++ webapp_calendar.py | 15 +++++++++------ 6 files changed, 52 insertions(+), 7 deletions(-) diff --git a/daemon.py b/daemon.py index 3ea600b9f..4b1d68184 100644 --- a/daemon.py +++ b/daemon.py @@ -17617,7 +17617,7 @@ class PubServer(BaseHTTPRequestHandler): if reply_handle not in reply_to_list: reply_to_list.append(reply_handle) if ment.startswith('page='): - reply_page_str = ment.replace('page=', '') + reply_page_str = ment.replace('page=', '') if len(reply_page_str) > 5: reply_page_str = "1" if reply_page_str.isdigit(): diff --git a/desktop_client.py b/desktop_client.py index 5c5986f9d..ab27f923d 100644 --- a/desktop_client.py +++ b/desktop_client.py @@ -1701,9 +1701,13 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, post_index_str = command_str.split('read ')[1] else: post_index_str = command_str.split('show ')[1] + if len(post_index_str) > 5: + post_index_str = "1" if box_json and post_index_str.isdigit(): _desktop_clear_screen() _desktop_show_banner() + if len(post_index_str) > 5: + post_index_str = "1" post_index = int(post_index_str) post_json_object = \ _read_local_box_post(session, nickname, domain, @@ -1764,6 +1768,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, elif not actor_json and box_json: _desktop_clear_screen() _desktop_show_banner() + if len(post_index_str) > 5: + post_index_str = "1" post_index = int(post_index_str) actor_json = \ _desktop_show_profile(session, nickname, domain, @@ -1870,6 +1876,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -1909,6 +1917,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -1941,6 +1951,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -1983,6 +1995,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2015,6 +2029,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2046,6 +2062,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2082,6 +2100,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) else: @@ -2128,6 +2148,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2160,6 +2182,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2203,6 +2227,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2236,6 +2262,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_page = 1 if ' ' in command_str: page_num = command_str.split(' ')[-1].strip() + if len(page_num) > 5: + page_num = "1" if page_num.isdigit(): curr_page = int(page_num) follow_requests_json = \ @@ -2255,6 +2283,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_page = 1 if ' ' in command_str: page_num = command_str.split(' ')[-1].strip() + if len(page_num) > 5: + page_num = "1" if page_num.isdigit(): curr_page = int(page_num) following_json = \ @@ -2275,6 +2305,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_page = 1 if ' ' in command_str: page_num = command_str.split(' ')[-1].strip() + if len(page_num) > 5: + page_num = "1" if page_num.isdigit(): curr_page = int(page_num) followers_json = \ @@ -2484,6 +2516,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: @@ -2555,6 +2589,8 @@ def run_desktop_client(base_dir: str, proxy_type: str, http_prefix: str, curr_index = 0 if ' ' in command_str: post_index = command_str.split(' ')[-1].strip() + if len(post_index) > 5: + post_index = "1" if post_index.isdigit(): curr_index = int(post_index) if curr_index > 0 and box_json: diff --git a/follow.py b/follow.py index dedaa61e8..21a41d157 100644 --- a/follow.py +++ b/follow.py @@ -453,6 +453,8 @@ def get_following_feed(base_dir: str, domain: str, port: int, path: str, page_number = None if '?page=' in path: page_number = path.split('?page=')[1] + if len(page_number) > 5: + page_number = "1" if page_number == 'true' or not authorized: page_number = 1 else: diff --git a/person.py b/person.py index bed19ccca..a2c097976 100644 --- a/person.py +++ b/person.py @@ -986,6 +986,8 @@ def person_box_json(recent_posts_cache: {}, page_number = None if '?page=' in path: page_number = path.split('?page=')[1] + if len(page_number) > 5: + page_number = 1 if page_number == 'true': page_number = 1 else: diff --git a/shares.py b/shares.py index c0d3f67d2..c8b726810 100644 --- a/shares.py +++ b/shares.py @@ -462,6 +462,8 @@ def get_shares_feed_for_person(base_dir: str, page_number = None if '?page=' in path: page_number = path.split('?page=')[1] + if len(page_number) > 5: + page_number = 1 if page_number == 'true': page_number = 1 else: diff --git a/webapp_calendar.py b/webapp_calendar.py index 7991b4804..9dfbda2be 100644 --- a/webapp_calendar.py +++ b/webapp_calendar.py @@ -341,16 +341,19 @@ def html_calendar(person_cache: {}, translate: {}, if '=' in part: if part.split('=')[0] == 'year': num_str = part.split('=')[1] - if num_str.isdigit(): - year = int(num_str) + if len(num_str) <= 5: + if num_str.isdigit(): + year = int(num_str) elif part.split('=')[0] == 'month': num_str = part.split('=')[1] - if num_str.isdigit(): - month_number = int(num_str) + if len(num_str) <= 3: + if num_str.isdigit(): + month_number = int(num_str) elif part.split('=')[0] == 'day': num_str = part.split('=')[1] - if num_str.isdigit(): - day_number = int(num_str) + if len(num_str) <= 3: + if num_str.isdigit(): + day_number = int(num_str) elif part.split('=')[0] == 'ical': bool_str = part.split('=')[1] if bool_str.lower().startswith('t'): From 85c4ec0c1f4a8353d9be82dbcd97743833c134c6 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 12:14:39 +0100 Subject: [PATCH 05/12] CHecking the string length of content length --- daemon.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemon.py b/daemon.py index 4b1d68184..f38483f42 100644 --- a/daemon.py +++ b/daemon.py @@ -20446,9 +20446,9 @@ class PubServer(BaseHTTPRequestHandler): # check that the content length string is not too long if isinstance(self.headers['Content-length'], str): if not is_media_content: - max_content_size = self.server.maxMessageLength + max_content_size = len(str(self.server.maxMessageLength)) else: - max_content_size = self.server.maxMediaSize + max_content_size = len(str(self.server.maxMediaSize)) if len(self.headers['Content-length']) > max_content_size: self._400() self.server.postreq_busy = False From a423c260c7e53fe18f112a29059e5abe85969e9f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 12:17:50 +0100 Subject: [PATCH 06/12] Check length of content-length with caldav --- daemon.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/daemon.py b/daemon.py index f38483f42..25998e477 100644 --- a/daemon.py +++ b/daemon.py @@ -18437,6 +18437,14 @@ class PubServer(BaseHTTPRequestHandler): print(endpoint_type.upper() + ' has no content-length') self._400() return + + # check that the content length string is not too long + if isinstance(self.headers['Content-length'], str): + max_content_size = len(str(self.server.maxMessageLength)) + if len(self.headers['Content-length']) > max_content_size: + self._400() + return + length = int(self.headers['Content-length']) if length > self.server.max_post_length: print(endpoint_type.upper() + From de88a2333be6af82f079d56275869b821fb3588c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 13:56:11 +0100 Subject: [PATCH 07/12] Check length of of digit string --- daemon.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/daemon.py b/daemon.py index 25998e477..8d499ef7a 100644 --- a/daemon.py +++ b/daemon.py @@ -2801,8 +2801,9 @@ class PubServer(BaseHTTPRequestHandler): page_number_str = options_confirm_params.split('pageNumber=')[1] if '&' in page_number_str: page_number_str = page_number_str.split('&')[0] - if page_number_str.isdigit(): - page_number = int(page_number_str) + if len(page_number_str) < 5: + if page_number_str.isdigit(): + page_number = int(page_number_str) # actor for the person options_actor = options_confirm_params.split('actor=')[1] @@ -4804,7 +4805,10 @@ class PubServer(BaseHTTPRequestHandler): get_nickname_from_actor(remove_post_actor) if self.post_to_nickname: if month_str and year_str: - if month_str.isdigit() and year_str.isdigit(): + if len(month_str) <= 3 and \ + len(year_str) <= 3 and \ + month_str.isdigit() and \ + year_str.isdigit(): year_int = int(year_str) month_int = int(month_str) remove_calendar_event(base_dir, From 6ac77b528cc634c9cf5c86ab6b2171b77fb2a9b7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 14:06:25 +0100 Subject: [PATCH 08/12] Check length of duration field --- daemon.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon.py b/daemon.py index 8d499ef7a..4f1b6c2fb 100644 --- a/daemon.py +++ b/daemon.py @@ -19432,7 +19432,10 @@ class PubServer(BaseHTTPRequestHandler): self.server.base_dir, nickname, self.server.domain) - int_duration = int(fields['duration']) + if isinstance(fields['duration'], str): + if len(fields['duration']) > 5: + return -1 + int_duration_days = int(fields['duration']) languages_understood = \ get_understood_languages(self.server.base_dir, self.server.http_prefix, @@ -19452,7 +19455,7 @@ class PubServer(BaseHTTPRequestHandler): fields['imageDescription'], city, fields['subject'], - int_duration, + int_duration_days, fields['languagesDropdown'], self.server.low_bandwidth, self.server.content_license_url, From 0d688082fc105946db31075f8b4dec8aeee50e77 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 18:59:19 +0100 Subject: [PATCH 09/12] Remove unused argument --- daemon.py | 20 -------------------- person.py | 2 +- webapp_frontscreen.py | 2 +- webapp_profile.py | 2 +- 4 files changed, 3 insertions(+), 23 deletions(-) diff --git a/daemon.py b/daemon.py index 4f1b6c2fb..784d041d0 100644 --- a/daemon.py +++ b/daemon.py @@ -11667,7 +11667,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_feed = \ person_box_json(recent_posts_cache, - curr_session, base_dir, domain, port, @@ -11701,7 +11700,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_feed = \ person_box_json(recent_posts_cache, - curr_session, base_dir, domain, port, @@ -11844,7 +11842,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_dm_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -11872,7 +11869,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_dm_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12005,7 +12001,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_replies_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12034,7 +12029,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_replies_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12165,7 +12159,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_media_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12194,7 +12187,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_media_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12322,7 +12314,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_blogs_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12351,7 +12342,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_blogs_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12480,7 +12470,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_news_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12512,7 +12501,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_news_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12644,7 +12632,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: inbox_features_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -12676,7 +12663,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first inbox_features_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -13002,7 +12988,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: bookmarks_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -13031,7 +13016,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first bookmarks_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -13163,7 +13147,6 @@ class PubServer(BaseHTTPRequestHandler): # get outbox feed for a person outbox_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, path, http_prefix, MAX_POSTS_IN_FEED, 'outbox', authorized, @@ -13191,7 +13174,6 @@ class PubServer(BaseHTTPRequestHandler): page_str = '?page=' + str(page_number) outbox_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, path + page_str, http_prefix, @@ -13302,7 +13284,6 @@ class PubServer(BaseHTTPRequestHandler): if authorized: moderation_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, @@ -13330,7 +13311,6 @@ class PubServer(BaseHTTPRequestHandler): # if no page was specified then show the first moderation_feed = \ person_box_json(self.server.recent_posts_cache, - curr_session, base_dir, domain, port, diff --git a/person.py b/person.py index a2c097976..cd35637db 100644 --- a/person.py +++ b/person.py @@ -963,7 +963,7 @@ def person_lookup(domain: str, path: str, base_dir: str) -> {}: def person_box_json(recent_posts_cache: {}, - session, base_dir: str, domain: str, port: int, path: str, + base_dir: str, domain: str, port: int, path: str, http_prefix: str, no_of_items: int, boxname: str, authorized: bool, newswire_votes_threshold: int, positive_voting: bool, diff --git a/webapp_frontscreen.py b/webapp_frontscreen.py index 5545b88e9..f70ae203a 100644 --- a/webapp_frontscreen.py +++ b/webapp_frontscreen.py @@ -56,7 +56,7 @@ def _html_front_screen_posts(recent_posts_cache: {}, max_recent_posts: int, '/users/' + nickname + '/' + box_name + \ '?page=' + str(curr_page) outbox_feed = \ - person_box_json({}, session, base_dir, domain, port, + person_box_json({}, base_dir, domain, port, outbox_feed_path_str, http_prefix, 10, box_name, authorized, 0, False, 0) diff --git a/webapp_profile.py b/webapp_profile.py index b993cd3c8..3bdf61848 100644 --- a/webapp_profile.py +++ b/webapp_profile.py @@ -1130,7 +1130,7 @@ def _html_profile_posts(recent_posts_cache: {}, max_recent_posts: int, '/users/' + nickname + '/' + box_name + '?page=' + \ str(curr_page) outbox_feed = \ - person_box_json({}, session, base_dir, domain, + person_box_json({}, base_dir, domain, port, outbox_feed_path_str, http_prefix, From f728ae527105c63794250162f473bdd9c77351a8 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 19:11:48 +0100 Subject: [PATCH 10/12] Remove unused argument --- webapp_profile.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/webapp_profile.py b/webapp_profile.py index 3bdf61848..e6aeebe20 100644 --- a/webapp_profile.py +++ b/webapp_profile.py @@ -1981,8 +1981,7 @@ def _html_edit_profile_background(news_instance: bool, translate: {}) -> str: return edit_profile_form -def _html_edit_profile_contact_info(nickname: str, - email_address: str, +def _html_edit_profile_contact_info(email_address: str, xmpp_address: str, matrix_address: str, ssb_address: str, @@ -2478,7 +2477,7 @@ def html_edit_profile(server, translate: {}, # Contact information edit_profile_form += \ - _html_edit_profile_contact_info(nickname, email_address, + _html_edit_profile_contact_info(email_address, xmpp_address, matrix_address, ssb_address, tox_address, briar_address, From bed15feb1404138e19a617062071b453edd922bf Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 8 Sep 2022 19:23:08 +0100 Subject: [PATCH 11/12] Tiding --- desktop_client.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/desktop_client.py b/desktop_client.py index ab27f923d..8633cd3df 100644 --- a/desktop_client.py +++ b/desktop_client.py @@ -355,8 +355,7 @@ def _speaker_mimic3(pitch: int, rate: int, srange: int, if pitch > 75: voice = 'en_US/vctk_low' length_scale = str(1.2 - (rate / 600.0)) - if srange > 100: - srange = 100 + srange = min(srange, 100) noise_w = str(srange / 100.0) text = html.unescape(say_text).replace('"', "'") if not text: From 48db4f58a4d07cce3faab99017548e1f6466b24b Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 9 Sep 2022 18:49:03 +0100 Subject: [PATCH 12/12] Forbit input within markup --- utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils.py b/utils.py index cc5b8dbf0..ea2a32076 100644 --- a/utils.py +++ b/utils.py @@ -1110,7 +1110,7 @@ def dangerous_markup(content: str, allow_local_network_access: bool) -> bool: return True invalid_strings = [ 'script', 'noscript', 'pre', - 'canvas', 'style', 'abbr', + 'canvas', 'style', 'abbr', 'input', 'frame', 'iframe', 'html', 'body', 'hr', 'allow-popups', 'allow-scripts', 'amp-'