From a041e6a21f3f789257ecb8fe45334bc09cf7985f Mon Sep 17 00:00:00 2001
From: TestingPlant <>
Date: Wed, 12 Jul 2023 01:55:30 +0000
Subject: [PATCH 01/22] fix!: remove /api/post
The code handling /api/post is similar to the code handling /post, but
/api/post has some bugs such as allowing banned users to upload files.
Making /post the only API able to upload files would reduce duplicated
code which reduces the chance of bugs.
Although this removes /api/post, it shouldn't cause any issues since
/api/post isn't currently usable because it requires a multipart
request, but the code uses get_json which only works when the
mimetype is application/json.
---
main | 54 +-----------------------------------------
templates/apidocs.html | 4 ++--
2 files changed, 3 insertions(+), 55 deletions(-)
diff --git a/main b/main
index 64a1f11..42c3be4 100644
--- a/main
+++ b/main
@@ -394,58 +394,6 @@ def apilogin():
"error": "https://http.cat/images/400.jpg"
}, 400
-@app.route("/api/post", methods=("GET", "POST"))
-def apipost():
- usersession = request.cookies.get("session_DO_NOT_SHARE")
- if usersession:
- if request.method == "POST":
-
- data = request.get_json()
- title = data["id"]
-
- if title == "":
- return {
- "error": "no title"
- }, 403
-
- if "file" not in request.files:
- return {
- "error": "no file"
- }, 403
-
- file = request.files["file"]
- if file.filename == "":
- return {
- "error": "no file"
- }, 403
-
- if not allowed_file(file.filename):
- return {
- "error": "invalid file format"
- }, 403
-
- filename = secure_filename(file.filename)
- finalfilename = secrets.token_hex(64) + filename
-
- file.save(os.path.join(UPLOAD_FOLDER, finalfilename))
- imgurl = "/cdn/" + finalfilename
-
- userCookie = get_session(usersession)
- user = get_user(userCookie["id"])
-
- if not user["banned"] == "0":
- return {
- "error": "banned"
- }, 403
-
- conn = get_db_connection()
- conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)",
- (title, imgurl, userCookie["id"], str(time.time())))
- conn.commit()
- conn.close()
-
- return "success", 200
-
@app.route("/apidocs", methods=("GET", "POST"))
def apidocs():
usersession = request.cookies.get("session_DO_NOT_SHARE")
@@ -750,4 +698,4 @@ if __name__ == "__main__":
sock.bind(('', int(PORT)))
serve(app, sockets=[sock])
- print("[INFO] Server stopped")
\ No newline at end of file
+ print("[INFO] Server stopped")
diff --git a/templates/apidocs.html b/templates/apidocs.html
index 28c7118..5cb8f28 100644
--- a/templates/apidocs.html
+++ b/templates/apidocs.html
@@ -35,7 +35,7 @@
for API things that require authentication, you will need to set the session_DO_NOT_SHARE
cookie. the key might expire after 180 days.
GET /api/frontpage
- returns frontpage
- POST /api/post
- post ctas - authentication required
+ POST /post
- post ctas - authentication required
title
, being the title of the post and file
, being an image file.
Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"
POST /api/comment
- comment on posts - authentication required
@@ -50,4 +50,4 @@