fsd

2022-04-17 23:46:29 +02:00 · 2022-04-17 23:46:29 +02:00 · c042dcc26b
commit c042dcc26b
parent 9c3d6d49a1
7 changed files with 52 additions and 46 deletions
--- a/files/classes/submission.py
+++ b/files/classes/submission.py
@ -478,7 +478,7 @@ class Submission(Base):
 	@property
 	@lazy
 	def is_image(self):
-		if self.url and (self.url.lower().endswith('.webp') or self.url.lower().endswith('.jpg') or self.url.lower().endswith('.png') or self.url.lower().endswith('.gif') or self.url.lower().endswith('.jpeg') or self.url.lower().endswith('?maxwidth=9999') or self.url.lower().endswith('&fidelity=high')) and embed_check_regex.fullmatch(self.url):
+		if self.url and (self.url.lower().endswith('.webp') or self.url.lower().endswith('.jpg') or self.url.lower().endswith('.png') or self.url.lower().endswith('.gif') or self.url.lower().endswith('.jpeg') or self.url.lower().endswith('?maxwidth=9999') or self.url.lower().endswith('&fidelity=high')) and (self.url.startswith('/') or self.url.startswith(f'{SITE_FULL}/') or embed_check_regex.fullmatch(self.url)):
 			return True
 		return False
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -12,7 +12,6 @@ SITE_NAME = environ.get("SITE_NAME", '').strip()
 if SITE == "localhost": SITE_FULL = 'http://' + SITE
 else: SITE_FULL = 'https://' + SITE
 SITE_FULL2 = 'http://' + SITE
 if SITE == 'pcmemes.net': CC = "SPLASH MOUNTAIN"
 else: CC = "COUNTRY CLUB"
@ -757,46 +756,53 @@ proxies = {"http":"http://127.0.0.1:18080","https":"http://127.0.0.1:18080"}
 blackjack = environ.get("BLACKJACK", "").strip()
 approved_embed_hosts = [
-	'i.imgur.com',
+	'imgur.com',
-	'i\.ibb\.co',
+	'ibb\.co',
-	'pomf2\.lain\.la',
+	'lain\.la',
 	'pngfind\.com',
-	'i\.kym-cdn\.com',
+	'kym-cdn\.com',
-	'i2\.kym-cdn\.com',
+	'redd\.it',
-	'i\.redd\.it',
+	'substack\.com',
-	'cdn\.substack\.com',
+	'blogspot\.com',
-	'cdn\.discordapp\.com',
+	'catbox\.moe',
-	'2\.bp\.blogspot\.com',
+	'pinimg\.com',
 	'files\.catbox\.moe',
 	'i\.pinimg\.com',
 	'kindpng\.com',
-	'cdn\.shopify\.com',
+	'shopify\.com',
-	'media\.discordapp\.net',
+	'discordapp\.com',
-	'pbs\.twimg\.com',
+	'discordapp\.net',
-	'upload\.wikimedia\.org',
+	'twimg\.com',
-	'i0\.wp\.com',
+	'wikimedia\.org',
 	'wp\.com',
 	'wordpress\.com',
 	'seekpng\.com',
-	'i\.dailymail\.co\.uk',
+	'dailymail\.co\.uk',
-	'de\.catbox\.moe',
+	'cdc\.gov',
-	'www\.cdc\.gov',
+	'media-amazon\.com',
-	'm\.media-amazon\.com',
+	'washingtonpost\.com',
-	'www\.washingtonpost\.com',
+	'imgflip\.com',
-	'i\.imgflip\.com',
+	'flickr\.com',
-	'farm2\.static\.flickr\.com',
+	'9cache\.com',
-	'img-9gag-fun\.9cache\.com',
+	'ytimg\.com',
-	'i\.ytimg\.com',
+	'foxnews\.com',
-	'a57\.foxnews\.com',
+	'duckduckgo\.com',
-	'external-content\.duckduckgo\.com',
+	'forbes\.com',
-	'blogs-images\.forbes\.com',
+	'gr-assets\.com',
-	'images\.gr-assets\.com',
+	'tenor\.com',
-	'c\.tenor\.com',
+	'giphy\.com',
-	'media\.giphy\.com'
+	'makeagif\.com',
 	'gfycat\.com',
 	'tumblr\.com',
 	'yarn\.co',
 	'gifer\.com',
 	'prnt\.sc',
 	'staticflickr\.com',
 	'kiwifarms\.net'
 	]
 hosts = "|".join(approved_embed_hosts)
-image_check_regex = re.compile(f'!\[\]\(((?!https:\/\/({hosts})\/).*?)\)', flags=re.A)
+image_check_regex = re.compile(f'!\[\]\(((?!https:\/\/([a-z0-9-]\.)*({hosts})\/).*?)\)', flags=re.A)
-embed_check_regex = regex.compile(f'(?<!<(code|pre|a)>)https:\/\/({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=regex.A)
+embed_check_regex = regex.compile(f'(?<!<(code|pre|a)>)https:\/\/([a-z0-9-]\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*', flags=regex.A)
-video_regex = regex.compile(f'((?<!<(code|pre|a)>)https:\/\/({hosts})\/[\w:~,()\-.#&\/=?@%;+]*?\.(mp4|webm|mov))', flags=regex.A)
+video_regex = regex.compile(f'((?<!<(code|pre|a)>)https:\/\/([a-z0-9-]\.)*({hosts})\/[\w:~,()\-.#&\/=?@%;+]*?\.(mp4|webm|mov))', flags=regex.A)
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@ -37,7 +37,7 @@ def allowed_attributes(tag, name, value):
 	if tag == 'img':
 		if name in ['src','data-src']:
-			if value.startswith('/') or embed_check_regex.fullmatch(value): return True
+			if value.startswith('/') or value.startswith(f'{SITE_FULL}/') or embed_check_regex.fullmatch(value): return True
 			else: return False
 		if name == 'loading' and value == 'lazy': return True
@ -70,7 +70,7 @@ url_re = build_url_re(tlds=TLDS, protocols=['http', 'https'])
 def callback(attrs, new=False):
 	href = attrs[(None, "href")]
-	if not href.startswith(SITE_FULL) and not href.startswith('/') and not href.startswith(SITE_FULL2):
+	if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'):
 		attrs[(None, "target")] = "_blank"
 		attrs[(None, "rel")] = "nofollow noopener noreferrer"	
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@ -354,7 +354,7 @@ def award_post(pid, v):
 	g.db.commit()
 	if request.referrer and len(request.referrer) > 1:
 		if request.referrer == f'{SITE_FULL}/submit': return redirect(post.permalink)
-		elif request.referrer.startswith(SITE_FULL): return redirect(request.referrer)
+		elif request.referrer.startswith(f'{SITE_FULL}/'): return redirect(request.referrer)
 	return redirect(SITE_FULL)
@ -590,7 +590,7 @@ def award_comment(cid, v):
 	g.db.add(author)
 	g.db.commit()
-	if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(SITE_FULL):
+	if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(f'{SITE_FULL}/'):
 		return redirect(request.referrer)
 	return redirect(SITE_FULL)
--- a/files/routes/errors.py
+++ b/files/routes/errors.py
@ -60,6 +60,6 @@ def allow_nsfw():
 	session["over_18"] = int(time.time()) + 3600
 	redir = request.values.get("redir")
 	if redir:
-		if redir.startswith(SITE_FULL): return redirect(redir)
+		if redir.startswith(f'{SITE_FULL}/'): return redirect(redir)
 		if redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}')
 	return redirect('/')
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -11,10 +11,10 @@ def login_get(v):
 	redir = request.values.get("redirect")
 	if redir:
 		redir = redir.replace("/logged_out", "").strip()
-		if not redir.startswith(SITE_FULL) and not redir.startswith('/'): redir = None
+		if not redir.startswith(f'{SITE_FULL}/') and not redir.startswith('/'): redir = None
 	if v and redir:
-		if redir.startswith(SITE_FULL): return redirect(redir)
+		if redir.startswith(f'{SITE_FULL}/'): return redirect(redir)
 		elif redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}')
 	return render_template("login.html", failed=False, redirect=redir)
@ -150,10 +150,10 @@ def login_post():
 	redir = request.values.get("redirect")
 	if redir:
 		redir = redir.replace("/logged_out", "").strip()
-		if not redir.startswith(SITE_FULL) and not redir.startswith('/'): redir = '/'
+		if not redir.startswith(f'{SITE_FULL}/') and not redir.startswith('/'): redir = '/'
 	if redir:
-		if redir.startswith(SITE_FULL): return redirect(redir)
+		if redir.startswith(f'{SITE_FULL}/'): return redirect(redir)
 		if redir.startswith('/'): return redirect(f'{SITE_FULL}{redir}')
 	return redirect('/')
--- a/files/routes/subs.py
+++ b/files/routes/subs.py
@ -472,7 +472,7 @@ def sub_toggle(v):
 		g.db.add(v)
 		g.db.commit()
-	if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(SITE_FULL):
+	if request.referrer and len(request.referrer) > 1 and request.referrer.startswith(f'{SITE_FULL}/'):
 		return redirect(request.referrer)
 	return redirect('/')