fix ipv6 exploit + minor rewrite

2025-03-08 09:18:11 -05:00 · 2025-03-08 09:18:11 -05:00 · 038b770706
commit 038b770706
parent a2e0f9d2c6
2 changed files with 30 additions and 11 deletions
--- a/main.py
+++ b/main.py
@ -10,11 +10,13 @@ from secret import token
 REVERSE_PROXY = False # if True: uses X-Real-IP header instead of remote addr
 BASE_DIR = Path(__file__).parent
 TIMEOUT = 15 * 60
-CONTENT_WARNING = "test post ignore" # "Post from a random person - trinkey is not responsible for the content!!"
+MAX_LENGTH = 100_000
 CONTENT_WARNING = "Post can contain any text"
 PROMO_URL = "\n\nhttps://everyone.trinkey.com/"
 POST_URL = "https://is.trinkey.com/api/iceshrimp/notes"
 RUN_CONF = {
    "debug": True,
-    "host": "127.0.0.1",
+    "host": "0.0.0.0",
    "port": "8000"
 }
@ -30,11 +32,26 @@ except json.JSONDecodeError:
    ...
 def save():
    now = time.time()
    to_remove = []
    for i in data:
        if data[i] < now:
            to_remove.append(i)
    for i in to_remove:
        del data[i]
    with open(BASE_DIR / "blocked.json", "w") as f:
        json.dump(data, f)
 def get_ip() -> str:
-    return (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0"
+    ip = (flask.request.headers.get("X-Real-IP") if REVERSE_PROXY else flask.request.remote_addr) or "0.0.0.0"
    if ":" in ip:
        ip = ip[:20] + ":/64"
    return ip
@app.route("/", methods=["POST", "GET"])
 def index() -> bytes:
@ -43,12 +60,14 @@ def index() -> bytes:
    message = ""
    if flask.request.method == "POST":
-        if not cant_post:
+        if cant_post:
-            content = (flask.request.form.get("text") or "").strip()
+            message = "You can't post yet!"
        else:
            content = (flask.request.form.get("text") or "").strip()[:MAX_LENGTH - len(PROMO_URL)]
            if content:
                resp = requests.post(POST_URL, json={
-                    "text": content,
+                    "text": content + PROMO_URL,
                    "cw": CONTENT_WARNING,
                    "replyId": None,
                    "renoteId": None,
@ -60,20 +79,20 @@ def index() -> bytes:
                })
                if resp.status_code == 200:
                    cant_post = True
                    data[ip] = int(time.time() + TIMEOUT)
                    save()
                    message = "Success!"
                else:
-                    message = f"Got non-200 status code ({resp})"
+                    message = f"Got non-200 status code ({resp.status_code})"
            else:
                message = "Enter some text!"
        else:
            message = "You can't post yet!"
    return open(BASE_DIR / "public/index.html", "rb").read() \
            .replace(b"{{ IP }}", str.encode(ip)) \
            .replace(b"{{ EXPIRE }}", str.encode(str(data[ip] if cant_post else 0))) \
-            .replace(b"{{ ERROR }}", str.encode(message))
+            .replace(b"{{ ERROR }}", str.encode(message)) \
            .replace(b"{{ MAX_LENGTH }}", str.encode(str(MAX_LENGTH - len(PROMO_URL))))
 if __name__ == "__main__":
    app.run(**RUN_CONF)
--- a/public/index.html
+++ b/public/index.html
@ -29,7 +29,7 @@
    <hr>
    <p>Enter your post below. Anyone can post anything, once every 15 minutes per IP address.</p>
    <form method="POST" action="/">
-      <div><textarea name="text" id="text" required placeholder="a stupid fedi post"></textarea></div>
+      <div><textarea name="text" id="text" required maxlength="{{ MAX_LENGTH }}" placeholder="a stupid fedi post"></textarea></div>
      <div><input type="submit" value="Post!"></div>
    </form>
    <small>Moderation enforced at trinkey's discretion. This service can go down temporarily or permanently at any time. All posts are viewable by anyone and cannot be deleted.</small>