Bob Mottram 2022-12-26 12:54:07 +00:00
commit e2e418a842
18 changed files with 1477 additions and 1903 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 71 KiB

After

Width:  |  Height:  |  Size: 69 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 228 KiB

After

Width:  |  Height:  |  Size: 228 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 122 KiB

After

Width:  |  Height:  |  Size: 124 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 103 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 78 KiB

After

Width:  |  Height:  |  Size: 86 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 100 KiB

After

Width:  |  Height:  |  Size: 104 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 87 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 116 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 198 KiB

After

Width:  |  Height:  |  Size: 204 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 79 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 115 KiB

After

Width:  |  Height:  |  Size: 120 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 82 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 280 KiB

After

Width:  |  Height:  |  Size: 282 KiB

View File

@ -18,6 +18,7 @@ from languages import understood_post_language
from like import update_likes_collection from like import update_likes_collection
from reaction import update_reaction_collection from reaction import update_reaction_collection
from reaction import valid_emoji_content from reaction import valid_emoji_content
from utils import contains_invalid_actor_url_chars
from utils import is_quote_toot from utils import is_quote_toot
from utils import acct_handle_dir from utils import acct_handle_dir
from utils import is_account_dir from utils import is_account_dir
@ -2756,14 +2757,17 @@ def _receive_announce(recent_posts_cache: {},
# so that their avatar can be shown # so that their avatar can be shown
lookup_actor = None lookup_actor = None
if post_json_object.get('attributedTo'): if post_json_object.get('attributedTo'):
if isinstance(post_json_object['attributedTo'], str): attrib = post_json_object['attributedTo']
lookup_actor = post_json_object['attributedTo'] if isinstance(attrib, str):
if not contains_invalid_actor_url_chars(attrib):
lookup_actor = attrib
else: else:
if has_object_dict(post_json_object): if has_object_dict(post_json_object):
if post_json_object['object'].get('attributedTo'): if post_json_object['object'].get('attributedTo'):
attrib = post_json_object['object']['attributedTo'] attrib = post_json_object['object']['attributedTo']
if isinstance(attrib, str): if isinstance(attrib, str):
lookup_actor = attrib if not contains_invalid_actor_url_chars(attrib):
lookup_actor = attrib
if lookup_actor: if lookup_actor:
if has_users_path(lookup_actor): if has_users_path(lookup_actor):
if '/statuses/' in lookup_actor: if '/statuses/' in lookup_actor:

View File

@ -15,6 +15,7 @@ from posts import outbox_message_create_wrap
from posts import save_post_to_box from posts import save_post_to_box
from posts import send_to_followers_thread from posts import send_to_followers_thread
from posts import send_to_named_addresses_thread from posts import send_to_named_addresses_thread
from utils import contains_invalid_actor_url_chars
from utils import get_attachment_property_value from utils import get_attachment_property_value
from utils import get_account_timezone from utils import get_account_timezone
from utils import has_object_string_type from utils import has_object_string_type
@ -321,6 +322,9 @@ def post_message_to_outbox(session, translate: {},
'.' not in message_json['actor']: '.' not in message_json['actor']:
return False return False
if contains_invalid_actor_url_chars(message_json['actor']):
return False
# sent by an actor on a local network address? # sent by an actor on a local network address?
if not allow_local_network_access: if not allow_local_network_access:
local_network_pattern_list = get_local_network_addresses() local_network_pattern_list = get_local_network_addresses()

View File

@ -44,6 +44,7 @@ from utils import get_attachment_property_value
from utils import get_nickname_from_actor from utils import get_nickname_from_actor
from utils import remove_html from utils import remove_html
from utils import contains_invalid_chars from utils import contains_invalid_chars
from utils import contains_invalid_actor_url_chars
from utils import replace_users_with_at from utils import replace_users_with_at
from utils import remove_eol from utils import remove_eol
from utils import remove_domain_port from utils import remove_domain_port
@ -1776,6 +1777,12 @@ def valid_sending_actor(session, base_dir: str,
# who sent this post? # who sent this post?
sending_actor = post_json_object['actor'] sending_actor = post_json_object['actor']
if not isinstance(sending_actor, str):
return False
if contains_invalid_actor_url_chars(sending_actor):
return False
# If you are following them then allow their posts # If you are following them then allow their posts
if is_following_actor(base_dir, nickname, domain, sending_actor): if is_following_actor(base_dir, nickname, domain, sending_actor):
return True return True
@ -1802,6 +1809,7 @@ def valid_sending_actor(session, base_dir: str,
print('REJECT: no preferredUsername within actor ' + str(actor_json)) print('REJECT: no preferredUsername within actor ' + str(actor_json))
return False return False
# is this a known spam actor?
actor_spam_filter_filename = \ actor_spam_filter_filename = \
acct_dir(base_dir, nickname, domain) + '/.reject_spam_actors' acct_dir(base_dir, nickname, domain) + '/.reject_spam_actors'
if not os.path.isfile(actor_spam_filter_filename): if not os.path.isfile(actor_spam_filter_filename):

3342
sbom.json

File diff suppressed because it is too large Load Diff

View File

@ -39,6 +39,12 @@ INVALID_CHARACTERS = (
'', '', '', '', '', '', 'ϟϟ', '🏳️‍🌈🚫', '⚡⚡' '', '', '', '', '', '', 'ϟϟ', '🏳️‍🌈🚫', '⚡⚡'
) )
INVALID_ACTOR_URL_CHARACTERS = (
'', '', '<', '>', '%', '{', '}', '|', '\\', '^', '`',
'?', '#', '[', ']', '@', '!', '$', '&', "'", '(', ')',
'*', '+', ',', ';', '='
)
def _standardize_text_range(text: str, def _standardize_text_range(text: str,
range_start: int, range_end: int, range_start: int, range_end: int,
@ -971,6 +977,16 @@ def contains_invalid_chars(json_str: str) -> bool:
return False return False
def contains_invalid_actor_url_chars(url: str) -> bool:
"""Does the given actor url contain invalid characters?
"""
for is_invalid in INVALID_ACTOR_URL_CHARACTERS:
if is_invalid in url:
return True
return contains_invalid_chars(url)
def remove_invalid_chars(text: str) -> str: def remove_invalid_chars(text: str) -> str:
"""Removes any invalid characters from a string """Removes any invalid characters from a string
""" """