From 1574c46d0a618d98a5f9e1649ab1d7e452ea1f2e Mon Sep 17 00:00:00 2001 From: justcool393 Date: Thu, 16 Feb 2023 19:26:58 -0600 Subject: [PATCH] modmail: constantify user ID and fix bug where users can bypass modmail route checks the random c.sentto == 2 magic numbers in the code is... pretty unmaintainable and unless you were aware of who "2" was, it's hard to know what's going on. in addition, we force modmail to go through the modmail path instead of letting users bypass validation checks. --- files/helpers/const.py | 1 + files/helpers/jinja2.py | 1 + files/routes/users.py | 10 ++++++---- files/templates/comments.html | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index 3da03891d..1628775d5 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -18,6 +18,7 @@ CC_TITLE = CC.title() NOTIFICATIONS_ID = 1 AUTOJANNY_ID = 2 +MODMAIL_ID = 2 SNAPPY_ID = 3 LONGPOSTBOT_ID = 4 ZOZBOT_ID = 5 diff --git a/files/helpers/jinja2.py b/files/helpers/jinja2.py index 91ce90ee9..9332a887b 100644 --- a/files/helpers/jinja2.py +++ b/files/helpers/jinja2.py @@ -75,6 +75,7 @@ def inject_constants(): "SITE_FULL":SITE_FULL, "AUTOJANNY_ID":AUTOJANNY_ID, "NOTIFICATIONS_ID":NOTIFICATIONS_ID, + "MODMAIL_ID":MODMAIL_ID, "PUSHER_ID":PUSHER_ID, "CC":CC, "CC_TITLE":CC_TITLE, diff --git a/files/routes/users.py b/files/routes/users.py index 96f193c78..b30d9d8be 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -528,6 +528,10 @@ def message2(v, username): "contact modmail if you think this decision was incorrect.") user = get_user(username, v=v, include_blocks=True) + + if user.id == MODMAIL_ID: + abort(403, "Please use modmail to contact the admins") + if hasattr(user, 'is_blocking') and user.is_blocking: abort(403, "You're blocking this user.") if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked: @@ -536,7 +540,6 @@ def message2(v, username): message = request.values.get("message", "").strip()[:10000].strip() if not message: abort(400, "Message is empty!") - body_html = sanitize(message) existing = g.db.query(Comment.id).filter(Comment.author_id == v.id, @@ -553,7 +556,6 @@ def message2(v, username): body_html=body_html ) g.db.add(c) - g.db.flush() c.top_comment_id = c.id @@ -588,12 +590,12 @@ def messagereply(v): parent = get_comment(id, v=v) user_id = parent.author.id - if parent.sentto == 2: user_id = None + if parent.sentto == MODMAIL_ID: user_id = None elif v.id == user_id: user_id = parent.sentto body_html = sanitize(message) - if parent.sentto == 2 and request.files.get("file") and request.headers.get("cf-ipcountry") != "T1": + if parent.sentto == MODMAIL_ID and request.files.get("file") and request.headers.get("cf-ipcountry") != "T1": file=request.files["file"] if file.content_type.startswith('image/'): name = f'/images/{time.time()}'.replace('.','') + '.webp' diff --git a/files/templates/comments.html b/files/templates/comments.html index bcf658144..f9784b70d 100644 --- a/files/templates/comments.html +++ b/files/templates/comments.html @@ -141,7 +141,7 @@ {% elif c.author_id==NOTIFICATIONS_ID or c.author_id==AUTOJANNY_ID %} Notification {% else %} - {% if c.sentto == 2 %} + {% if c.sentto == MODMAIL_ID %} Sent to admins {% else %} Sent to @{{c.senttouser.username}} @@ -556,7 +556,7 @@
- {% if c.sentto == 2 %} + {% if c.sentto == MODMAIL_ID %}