Chat: always enforce length limits from config

2022-06-17 00:06:45 +00:00 · 2022-06-17 00:06:45 +00:00 · e147aa0d22
--- a/anonstream/chat.py
+++ b/anonstream/chat.py
@ -62,14 +62,21 @@ def add_chat_message(user, nonce, comment, ignore_empty=False):
        raise Rejected('Message was empty')
    if len(comment.strip()) == 0:
        raise Rejected('Message was practically empty')
-    if len(comment) > 512:
-        raise Rejected('Message exceeded 512 chars')
-    if comment.count('\n') + 1 > 12:
-        raise Rejected('Message exceeded 12 lines')
+    if len(comment) > CONFIG['CHAT_COMMENT_MAX_LENGTH']:
+        raise Rejected(
+            f'Message exceeded {CONFIG["CHAT_COMMENT_MAX_LENGTH"]} chars'
+        )

+    if comment.count('\n') + 1 > CONFIG['CHAT_COMMENT_MAX_LINES']:
+        raise Rejected(
+            f'Message exceeded {CONFIG["CHAT_COMMENT_MAX_LINES"]} lines'
+        )
    linespan = get_approx_linespan(comment)
-    if linespan > 12:
-        raise Rejected('Message would span too many lines')
+    if linespan > CONFIG['CHAT_COMMENT_MAX_LINES']:
+        raise Rejected(
+            f'Message would span {CONFIG["CHAT_COMMENT_MAX_LINES"]} '
+            f'or more lines'
+        )

    # Record linespan
    linespan_tuple = (timestamp, linespan)
--- a/anonstream/config.py
+++ b/anonstream/config.py
@ -117,9 +117,11 @@ def toml_to_flask_section_chat(config):
    cfg = config['chat']
    return {
        'CHAT_COMMENT_MAX_LENGTH': cfg['max_comment_length'],
+        'CHAT_COMMENT_MAX_LINES': cfg['max_comment_lines'],
        'CHAT_NAME_MAX_LENGTH': cfg['max_name_length'],
        'CHAT_NAME_MIN_CONTRAST': cfg['min_name_contrast'],
        'CHAT_BACKGROUND_COLOUR': color_to_colour(cfg['background_color']),
+        'CHAT_TRIPCODE_PASSWORD_MAX_LENGTH': cfg['max_tripcode_password_length'],
        'CHAT_LEGACY_TRIPCODE_ALGORITHM': cfg['legacy_tripcode_algorithm'],
    }

--- a/anonstream/routes/nojs.py
+++ b/anonstream/routes/nojs.py
@ -92,6 +92,9 @@ async def nojs_chat_form(user):
        nonce=generate_nonce(),
        digest=get_random_captcha_digest_for(user),
        default_name=get_default_name(user),
+        max_comment_length=CONFIG['CHAT_COMMENT_MAX_LENGTH'],
+        max_name_length=CONFIG['CHAT_NAME_MAX_LENGTH'],
+        max_password_length=CONFIG['CHAT_TRIPCODE_PASSWORD_MAX_LENGTH'],
    )

@current_app.post('/chat/form')
--- a/anonstream/static/anonstream.js
+++ b/anonstream/static/anonstream.js
@ -33,7 +33,7 @@ const jsmarkup_chat_users = `\
 const jsmarkup_chat_form = `\
 <form id="chat-form_js" data-js="true" action="/chat" method="post">
  <input id="chat-form_js__nonce" type="hidden" name="nonce" value="">
-  <textarea id="chat-form_js__comment" name="comment" maxlength="512" required placeholder="Send a message..." rows="1" autofocus></textarea>
+  <textarea id="chat-form_js__comment" name="comment" required placeholder="Send a message..." rows="1" autofocus></textarea>
  <div id="chat-live">
    <span id="chat-live__ball"></span>
    <span id="chat-live__status">
@ -55,10 +55,10 @@ const jsmarkup_chat_form = `\
 </form>
 <form id="appearance-form_js" data-hidden="">
  <span id="appearance-form_js__label-name">Name:</span>
-  <input id="appearance-form_js__name" name="name" maxlength="24">
+  <input id="appearance-form_js__name" name="name">
  <input id="appearance-form_js__color" type="color" name="color">
  <span id="appearance-form_js__label-tripcode">Tripcode:</span>
-  <input id="appearance-form_js__password" type="password" name="password" placeholder="(tripcode password)" maxlength="1024">
+  <input id="appearance-form_js__password" type="password" name="password" placeholder="(tripcode password)">
  <div id="appearance-form_js__row">
    <article id="appearance-form_js__row__result"></article>
    <input id="appearance-form_js__row__submit" type="submit" value="Update">
--- a/anonstream/templates/nojs_chat_form.html
+++ b/anonstream/templates/nojs_chat_form.html
@ -220,7 +220,7 @@
  {% endif %}
  <form id="chat-form" action="{{ url_for('nojs_submit_message', token=user.token) }}" method="post">
    <input type="hidden" name="nonce" value="{{ nonce }}">
-    <textarea id="chat-form__comment" name="comment" maxlength="512" {% if digest is none %}required {% endif %} placeholder="Send a message..." rows="1" tabindex="1" autofocus accesskey="m">{{ state.comment }}</textarea>
+    <textarea id="chat-form__comment" name="comment" maxlength="{{ max_comment_length }}" {% if digest is none %}required {% endif %} placeholder="Send a message..." rows="1" tabindex="1" autofocus accesskey="m">{{ state.comment }}</textarea>
    <input id="chat-form__submit" type="submit" value="Chat" tabindex="4" accesskey="p">
    <div id="chat-form__exit"><label for="toggle" class="pseudolink">Settings</label></div>
    {% if digest %}
@ -231,7 +231,7 @@
  </form>
  <form id="appearance-form" action="{{ url_for('nojs_submit_appearance', token=user.token) }}" method="post">
    <label id="appearance-form__label-name" for="appearance-form__name">Name:</label>
-    <input id="appearance-form__name" name="name" value="{{ user.name or '' }}" placeholder="{{ default_name }}" maxlength="24">
+    <input id="appearance-form__name" name="name" value="{{ user.name or '' }}" placeholder="{{ default_name }}" maxlength="{{ max_name_length }}">
    <input type="color" name="color" value="{{ user.color }}">
    <label id="appearance-form__label-password" for="appearance-form__password">Tripcode:</label>
    <input id="password-toggle" name="set-tripcode" type="checkbox" accesskey="s">
@ -247,7 +247,7 @@
        <label id="hide-cleared" for="cleared-toggle" class="pseudolink">undo</label>
      {% endif %}
    </div>
-    <input id="appearance-form__password" name="password" type="password" placeholder="(tripcode password)" maxlength="1024">
+    <input id="appearance-form__password" name="password" type="password" placeholder="(tripcode password)" maxlength="{{ max_password_length }}">
    <div id="hide-password"><label for="password-toggle" class="pseudolink x">&times;</label></div>
    <div id="appearance-form__buttons">
      <div id="appearance-form__buttons__exit"><label for="toggle" class="pseudolink">Return to chat</label></div>
--- a/anonstream/user.py
+++ b/anonstream/user.py
@ -93,8 +93,10 @@ def change_name(user, name, dry_run=False):
        if name is not None:
            if len(name) == 0:
                raise BadAppearance('Name was empty')
-            if len(name) > 24:
-                raise BadAppearance('Name exceeded 24 chars')
+            if len(name) > CONFIG['CHAT_NAME_MAX_LENGTH']:
+                raise BadAppearance(
+                    f'Name exceeded {CONFIG["CHAT_NAME_MAX_LENGTH"]} chars'
+                )
    else:
        user['name'] = name

@ -119,8 +121,11 @@ def change_color(user, color, dry_run=False):

 def change_tripcode(user, password, dry_run=False):
    if dry_run:
-        if len(password) > 1024:
-            raise BadAppearance('Password exceeded 1024 chars')
+        if len(password) > CONFIG['CHAT_TRIPCODE_PASSWORD_MAX_LENGTH']:
+            raise BadAppearance(
+                f'Password exceeded '
+                f'{CONFIG["CHAT_TRIPCODE_PASSWORD_MAX_LENGTH"]} chars'
+            )
    else:
        user['tripcode'] = generate_tripcode(password)

--- a/config.toml
+++ b/config.toml
@ -53,9 +53,11 @@ anonymous = "Anonymous"

 [chat]
 max_comment_length = 512
+max_comment_lines = 12
 max_name_length = 24
 min_name_contrast = 3.0
 background_color = "#232327"
+max_tripcode_password_length = 1024
 legacy_tripcode_algorithm = false

 [flood.messages]