From 038b770706751dece61dc522bb24bc59028bf5bc Mon Sep 17 00:00:00 2001 From: trinkey Date: Sat, 8 Mar 2025 09:18:11 -0500 Subject: [PATCH] fix ipv6 exploit + minor rewrite --- main.py | 39 +++++++++++++++++++++++++++++---------- public/index.html | 2 +- 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/main.py b/main.py index 06351ec..d0d2dec 100644 --- a/main.py +++ b/main.py @@ -10,11 +10,13 @@ from secret import token REVERSE_PROXY = False # if True: uses X-Real-IP header instead of remote addr BASE_DIR = Path(__file__).parent TIMEOUT = 15 * 60 -CONTENT_WARNING = "test post ignore" # "Post from a random person - trinkey is not responsible for the content!!" +MAX_LENGTH = 100_000 +CONTENT_WARNING = "Post can contain any text" +PROMO_URL = "\n\nhttps://everyone.trinkey.com/" POST_URL = "https://is.trinkey.com/api/iceshrimp/notes" RUN_CONF = { "debug": True, - "host": "127.0.0.1", + "host": "0.0.0.0", "port": "8000" } @@ -30,11 +32,26 @@ except json.JSONDecodeError: ... def save(): + now = time.time() + + to_remove = [] + for i in data: + if data[i] < now: + to_remove.append(i) + + for i in to_remove: + del data[i] + with open(BASE_DIR / "blocked.json", "w") as f: json.dump(data, f) def get_ip() -> str: - return (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0" + ip = (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0" + + if ":" in ip: + ip = ip[:20] + ":/64" + + return ip @app.route("/", methods=["POST", "GET"]) def index() -> bytes: @@ -43,12 +60,14 @@ def index() -> bytes: message = "" if flask.request.method == "POST": - if not cant_post: - content = (flask.request.form.get("text") or "").strip() + if cant_post: + message = "You can't post yet!" + else: + content = (flask.request.form.get("text") or "").strip()[:MAX_LENGTH - len(PROMO_URL)] if content: resp = requests.post(POST_URL, json={ - "text": content, + "text": content + PROMO_URL, "cw": CONTENT_WARNING, "replyId": None, "renoteId": None, @@ -60,20 +79,20 @@ def index() -> bytes: }) if resp.status_code == 200: + cant_post = True data[ip] = int(time.time() + TIMEOUT) save() message = "Success!" else: - message = f"Got non-200 status code ({resp})" + message = f"Got non-200 status code ({resp.status_code})" else: message = "Enter some text!" - else: - message = "You can't post yet!" return open(BASE_DIR / "public/index.html", "rb").read() \ .replace(b"{{ IP }}", str.encode(ip)) \ .replace(b"{{ EXPIRE }}", str.encode(str(data[ip] if cant_post else 0))) \ - .replace(b"{{ ERROR }}", str.encode(message)) + .replace(b"{{ ERROR }}", str.encode(message)) \ + .replace(b"{{ MAX_LENGTH }}", str.encode(str(MAX_LENGTH - len(PROMO_URL)))) if __name__ == "__main__": app.run(**RUN_CONF) diff --git a/public/index.html b/public/index.html index 006382d..a54f466 100644 --- a/public/index.html +++ b/public/index.html @@ -29,7 +29,7 @@

Enter your post below. Anyone can post anything, once every 15 minutes per IP address.

-
+
Moderation enforced at trinkey's discretion. This service can go down temporarily or permanently at any time. All posts are viewable by anyone and cannot be deleted.