moon
/
emoji-stealer-mrf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

safer path handling, safer shortcode handling

This commit is contained in:
Moon Man 2020-03-24 00:12:42 +00:00
parent 0e4cedc350
commit cb5a9662b8
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
steal_emoji_policy.ex
View File

@ -39,7 +39,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
Logger.debug("HANDLING EMOJO") Logger.debug("HANDLING EMOJO")
cond do cond do
String.contains?(emojo_shortcode, "/") -> !String.match?(emojo_shortcode, ~r/^[[:word:]]+$/) ->
Logger.error("BAD EMOJO SHORTCODE: #{emojo_shortcode}") Logger.error("BAD EMOJO SHORTCODE: #{emojo_shortcode}")
String.starts_with?(emojo_url, "https://") -> String.starts_with?(emojo_url, "https://") ->
@ -48,7 +48,11 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
if remote_emojo.status_code == 200 do if remote_emojo.status_code == 200 do
with {:ok, current_dir} <- File.cwd() do with {:ok, current_dir} <- File.cwd() do
new_file = current_dir <> "/priv/static/emoji/stolen/" <> emojo_shortcode <> Path.extname(emojo_url) emojo_uri = URI.parse(emojo_url)
extension = Path.extname(Path.basename(emojo_uri.path))
filename = emojo_shortcode <> extension
new_file = Path.join([current_dir, "priv/static/emoji/stolen", filename])
{:ok, file} = File.open(new_file, [:write]) {:ok, file} = File.open(new_file, [:write])
IO.binwrite(file, remote_emojo.body) IO.binwrite(file, remote_emojo.body)