Verify remote user name and media url

This commit is contained in:
Trinity Pointard 2018-12-02 19:07:36 +01:00
parent 449641d158
commit ed71d24fe9
2 changed files with 33 additions and 22 deletions

View File

@ -131,19 +131,23 @@ impl Media {
.expect("Media::delete: database entry deletion error"); .expect("Media::delete: database entry deletion error");
} }
pub fn save_remote(conn: &Connection, url: String, user: &User) -> Media { pub fn save_remote(conn: &Connection, url: String, user: &User) -> Result<Media, ()> {
Media::insert( if url.contains(&['<', '>', '"'][..]) {
conn, Err(())
NewMedia { } else {
file_path: String::new(), Ok(Media::insert(
alt_text: String::new(), conn,
is_remote: true, NewMedia {
remote_url: Some(url), file_path: String::new(),
sensitive: false, alt_text: String::new(),
content_warning: None, is_remote: true,
owner_id: user.id, remote_url: Some(url),
}, sensitive: false,
) content_warning: None,
owner_id: user.id,
},
))
}
} }
pub fn set_owner(&self, conn: &Connection, user: &User) { pub fn set_owner(&self, conn: &Connection, user: &User) {
@ -177,7 +181,7 @@ impl Media {
NewMedia { NewMedia {
file_path: path.to_str()?.to_string(), file_path: path.to_str()?.to_string(),
alt_text: image.object_props.content_string().ok()?, alt_text: image.object_props.content_string().ok()?,
is_remote: true, is_remote: false,
remote_url: None, remote_url: None,
sensitive: image.object_props.summary_string().is_ok(), sensitive: image.object_props.summary_string().is_ok(),
content_warning: image.object_props.summary_string().ok(), content_warning: image.object_props.summary_string().ok(),

View File

@ -267,7 +267,7 @@ impl User {
} }
pub fn fetch_from_url(conn: &Connection, url: &str) -> Option<User> { pub fn fetch_from_url(conn: &Connection, url: &str) -> Option<User> {
User::fetch(url).map(|json| { User::fetch(url).and_then(|json| {
(User::from_activity( (User::from_activity(
conn, conn,
&json, &json,
@ -275,11 +275,11 @@ impl User {
.expect("User::fetch_from_url: url error") .expect("User::fetch_from_url: url error")
.host_str() .host_str()
.expect("User::fetch_from_url: host error"), .expect("User::fetch_from_url: host error"),
)) ).ok())
}) })
} }
fn from_activity(conn: &Connection, acct: &CustomPerson, inst: &str) -> User { fn from_activity(conn: &Connection, acct: &CustomPerson, inst: &str) -> Result<User, ()> {
let instance = match Instance::find_by_domain(conn, inst) { let instance = match Instance::find_by_domain(conn, inst) {
Some(instance) => instance, Some(instance) => instance,
None => { None => {
@ -301,6 +301,11 @@ impl User {
} }
}; };
if acct.object.ap_actor_props.preferred_username_string()
.expect("User::from_activity: preferredUsername error")
.contains(&['<', '>', '&', '@', '\'', '"'][..]) {
return Err(());
}
let user = User::insert( let user = User::insert(
conn, conn,
NewUser { NewUser {
@ -308,7 +313,7 @@ impl User {
.object .object
.ap_actor_props .ap_actor_props
.preferred_username_string() .preferred_username_string()
.expect("User::from_activity: preferredUsername error"), .unwrap(),
display_name: acct display_name: acct
.object .object
.object_props .object_props
@ -374,9 +379,11 @@ impl User {
&user, &user,
); );
user.set_avatar(conn, avatar.id); if let Ok(avatar) = avatar {
user.set_avatar(conn, avatar.id);
}
user Ok(user)
} }
pub fn refetch(&self, conn: &Connection) { pub fn refetch(&self, conn: &Connection) {
@ -391,7 +398,7 @@ impl User {
.url_string() .url_string()
.expect("User::refetch: icon.url error"), .expect("User::refetch: icon.url error"),
&self, &self,
); ).ok();
diesel::update(self) diesel::update(self)
.set(( .set((
@ -427,7 +434,7 @@ impl User {
.ap_actor_props .ap_actor_props
.followers_string() .followers_string()
.expect("User::refetch: followers error")), .expect("User::refetch: followers error")),
users::avatar_id.eq(Some(avatar.id)), users::avatar_id.eq(avatar.map(|a| a.id)),
users::last_fetched_date.eq(Utc::now().naive_utc()), users::last_fetched_date.eq(Utc::now().naive_utc()),
)) ))
.execute(conn) .execute(conn)