gochan/gochan
1
0
Fork 0
mirror of https://github.com/Eggbertx/gochan.git synced 2025-08-02 10:56:25 -07:00
Code Releases Activity

Add filename and username banning, add more de-deprecation stuff to posting/post.go

Browse source
This commit is contained in:
Eggbertx 2022-11-07 12:56:51 -08:00
parent b69536b772
commit 379e846daf
10 changed files with 531 additions and 405 deletions
Download patch file Download diff file Expand all files Collapse all files

24
cmd/gochan/server.go
View file

@ -66,34 +66,34 @@ func (s gochanServer) serveFile(writer http.ResponseWriter, request *http.Reques
// set mime type/cache headers according to the file's extension
func (*gochanServer) setFileHeaders(filename string, writer http.ResponseWriter) {
extension := strings.ToLower(gcutil.GetFileExtension(filename))
extension := strings.ToLower(path.Ext(filename))
switch extension {
case "png":
case ".png":
writer.Header().Set("Content-Type", "image/png")
writer.Header().Set("Cache-Control", "max-age=86400")
case "gif":
case ".gif":
writer.Header().Set("Content-Type", "image/gif")
writer.Header().Set("Cache-Control", "max-age=86400")
case "jpg":
case ".jpg":
fallthrough
case "jpeg":
case ".jpeg":
writer.Header().Set("Content-Type", "image/jpeg")
writer.Header().Set("Cache-Control", "max-age=86400")
case "css":
case ".css":
writer.Header().Set("Content-Type", "text/css")
writer.Header().Set("Cache-Control", "max-age=43200")
case "js":
case ".js":
writer.Header().Set("Content-Type", "text/javascript")
writer.Header().Set("Cache-Control", "max-age=43200")
case "json":
case ".json":
writer.Header().Set("Content-Type", "application/json")
writer.Header().Set("Cache-Control", "max-age=5, must-revalidate")
case "webm":
case ".webm":
writer.Header().Set("Content-Type", "video/webm")
writer.Header().Set("Cache-Control", "max-age=86400")
case "htm":
case ".htm":
fallthrough
case "html":
case ".html":
writer.Header().Set("Content-Type", "text/html")
writer.Header().Set("Cache-Control", "max-age=5, must-revalidate")
default:
@ -135,7 +135,7 @@ func initServer() {
fmt.Println("Got error when initializing Akismet spam protection, it will be disabled:", err)
}
server.namespaces["banned"] = posting.BanHandler
// server.namespaces["banned"] = posting.BanHandler
server.namespaces["captcha"] = posting.ServeCaptcha
server.namespaces["manage"] = manage.CallManageFunction
server.namespaces["post"] = posting.MakePost

82
pkg/gcsql/bans.go
View file

@ -1,18 +1,26 @@
package gcsql
import "database/sql"
import (
"database/sql"
"regexp"
)
type Ban interface {
IsGlobalBan() bool
}
// CheckIPBan returns the latest active IP ban for the given IP, as well as any errors. If the
// IPBan pointer is nil, the IP has no active bans
func CheckIPBan(ip string) (*IPBan, error) {
func CheckIPBan(ip string, boardID int) (*IPBan, error) {
const query = `SELECT
id, staff_id, board_id, banned_for_post_id, copy_post_text, is_thread_ban,
is_active, ip, issued_at, appeal_at, expires_at, permanent, staff_note,
message, can_appeal
FROM DBPREFIXip_ban WHERE ip = ? AND is_active AND (expires_at > CURRENT_TIMESTAMP OR permanent)
FROM DBPREFIXip_ban WHERE ip = ? AND (board_id IS NULL OR board_id = ?) AND
is_active AND (expires_at > CURRENT_TIMESTAMP OR permanent)
ORDER BY id DESC LIMIT 1`
var ban IPBan
err := QueryRowSQL(query, interfaceSlice(ip), interfaceSlice(
err := QueryRowSQL(query, interfaceSlice(ip, boardID), interfaceSlice(
&ban.ID, &ban.StaffID, &ban.BoardID, &ban.BannedForPostID, &ban.CopyPostText, &ban.IsThreadBan,
&ban.IsActive, &ban.IP, &ban.IssuedAt, &ban.AppealAt, &ban.ExpiresAt, &ban.Permanent, &ban.StaffNote,
&ban.Message, &ban.CanAppeal))
@ -23,6 +31,70 @@ func CheckIPBan(ip string) (*IPBan, error) {
}
// IsGlobalBan returns true if BoardID is a nil int, meaning they are banned on all boards, as opposed to a specific one
func (ipb *IPBan) IsGlobalBan() bool {
func (ipb IPBan) IsGlobalBan() bool {
return ipb.BoardID == nil
}
func checkUsernameOrFilename(usernameFilename string, check string, boardID int) (*filenameOrUsernameBanBase, error) {
query := `SELECT
id, board_id, staff_id, staff_note, issued_at, ` + usernameFilename + `, is_regex
FROM DBPREFIX` + usernameFilename + `_ban WHERE (` + usernameFilename + ` = ? OR is_regex) AND (board_id IS NULL OR board_id = ?)`
rows, err := QuerySQL(query, check, boardID)
if err != nil {
return nil, err
}
defer rows.Close()
for rows.Next() {
var ban filenameOrUsernameBanBase
err = rows.Scan(&ban.ID, &ban.BoardID, &ban.StaffID, &ban.StaffNote, &ban.IssuedAt, &ban.check, &ban.IsRegex)
if err == sql.ErrNoRows {
return nil, nil
} else if err != nil {
return nil, err
}
if ban.IsRegex {
match, err := regexp.MatchString(ban.check, check)
if err != nil {
return nil, err
}
if match {
return &ban, nil
}
} else if ban.check == check {
return &ban, nil
}
}
return nil, nil
}
func CheckNameBan(name string, boardID int) (*UsernameBan, error) {
banBase, err := checkUsernameOrFilename("username", name, boardID)
if err != nil {
return nil, err
}
if banBase == nil {
return nil, nil
}
return &UsernameBan{
Username: banBase.check,
filenameOrUsernameBanBase: *banBase,
}, nil
}
func (ub filenameOrUsernameBanBase) IsGlobalBan() bool {
return ub.BoardID == nil
}
func CheckFilenameBan(filename string, boardID int) (*FilenameBan, error) {
banBase, err := checkUsernameOrFilename("filename", filename, boardID)
if err != nil {
return nil, err
}
if banBase == nil {
return nil, nil
}
return &FilenameBan{
Filename: banBase.check,
filenameOrUsernameBanBase: *banBase,
}, nil
}

13
pkg/gcsql/posts.go
View file

@ -4,6 +4,7 @@ import (
"database/sql"
"errors"
"fmt"
"html"
"html/template"
"time"
@ -231,6 +232,18 @@ func (p *Post) GetUpload() (*Upload, error) {
return upload, err
}
// Sanitize escapes HTML strings in a post. This should be run immediately before
// the post is inserted into the database
func (p *Post) Sanitize() {
if !p.sanitized {
p.Name = html.EscapeString(p.Name)
p.Email = html.EscapeString(p.Email)
p.Subject = html.EscapeString(p.Subject)
p.Password = html.EscapeString(p.Password)
p.sanitized = true
}
}
// UnlinkUploads disassociates the post with any uploads in DBPREFIXfiles
// that may have been uploaded with it, optionally leaving behind a "File Deleted"
// frame where the thumbnail appeared

31
pkg/gcsql/tables.go
View file

@ -60,16 +60,22 @@ type FileBan struct {
Checksum string `json:"checksum"` // sql: `checksum`
}
type filenameOrUsernameBanBase struct {
ID int // sql: id
BoardID *int // sql: board_id
StaffID int // sql: staff_id
StaffNote string // sql: staff_note
IssuedAt time.Time // sql: issued_at
check string // replaced with username or filename
IsRegex bool // sql: is_regex
}
// FilenameBan represents a ban on a specific filename or filename regular expression.
// table: DBPREFIXfilename_ban
type FilenameBan struct {
ID int `json:"id"` // sql: `id`
BoardID int `json:"board_id"` // sql: `board_id`
StaffID int `json:"staff_id"` // sql: `staff_id`
StaffNote string `json:"staff_note"` // sql: `staff_note`
IssuedAt time.Time `json:"issued_at"` // sql: `issued_at`
Filename string `json:"filename"` // sql: `filename`
IsRegex bool `json:"is_regex"` // sql: `is_regex`
filenameOrUsernameBanBase
Filename string // sql: `filename`
IsRegex bool // sql: `is_regex`
}
// Upload represents a file attached to a post.
@ -161,6 +167,8 @@ type Post struct {
DeletedAt time.Time // sql: `deleted_at`
IsDeleted bool // sql: `is_deleted`
BannedMessage string // sql: `banned_message`
sanitized bool
}
// table: DBPREFIXreports
@ -224,13 +232,8 @@ type Thread struct {
// table: DBPREFIXusername_ban
type UsernameBan struct {
ID int `json:"id"` // sql: `id`
BoardID *int `json:"board"` // sql: `board_id`
StaffID int `json:"staff_id"` // sql: `staff_id`
StaffNote string `json:"staff_note"` // sql: `staff_note`
IssuedAt time.Time `json:"issued_at"` // sql: `issued_at`
Username string `json:"username"` // sql: `username`
IsRegex bool `json:"is_regex"` // sql: `is_regex`
filenameOrUsernameBanBase
Username string // sql: `username`
}
// table DBPREFIXwordfilters

36
pkg/gcsql/uploads.go
View file

@ -1,6 +1,8 @@
package gcsql
import (
"errors"
"github.com/gochan-org/gochan/pkg/gcsql.bak"
"github.com/gochan-org/gochan/pkg/gcutil"
)
@ -12,10 +14,9 @@ const (
FROM DBPREFIXfiles `
)
// ThumbnailPath returns the thumbnail path of the upload, given an thumbnail type ("thumbnail" or "catalog")
func (u *Upload) ThumbnailPath(thumbType string) string {
return gcutil.GetThumbnailPath(thumbType, u.Filename)
}
var (
ErrAlreadyAttached = errors.New("upload already processed")
)
// GetThreadFiles gets a list of the files owned by posts in the thread, including thumbnails for convenience.
func GetThreadFiles(post *Post) ([]Upload, error) {
@ -40,3 +41,30 @@ func GetThreadFiles(post *Post) ([]Upload, error) {
}
return uploads, nil
}
func (p *Post) AttachFile(upload *Upload) error {
const query = `INSERT INTO DBPREFIXfiles (
post_id, file_order, original_filename, filename, checksum, file_size,
is_spoilered, thumbnail_width, thumbnail_height, width, height)
VALUES(?,?,?,?,?,?,?,?,?,?,?)`
if upload.ID > 0 {
return ErrAlreadyAttached
}
uploadID, err := getNextFreeID("DBPREFIXfiles")
if err != nil {
return err
}
if _, err = ExecSQL(query,
&upload.PostID, &upload.FileOrder, &upload.OriginalFilename, &upload.Filename, &upload.Checksum, &upload.FileSize,
&upload.IsSpoilered, &upload.ThumbnailWidth, &upload.ThumbnailHeight, &upload.Width, &upload.Height,
); err != nil {
return err
}
upload.ID = uploadID
return nil
}
// ThumbnailPath returns the thumbnail path of the upload, given an thumbnail type ("thumbnail" or "catalog")
func (u *Upload) ThumbnailPath(thumbType string) string {
return gcutil.GetThumbnailPath(thumbType, u.Filename)
}

82
pkg/gctemplates/funcs.go
View file

@ -153,51 +153,51 @@ var funcMap = template.FuncMap{
return dict, nil
},
// Imageboard functions
"bannedForever": func(banInfo *gcsql.BanInfo) bool {
return banInfo.BannedForever()
},
"isBanned": func(banInfo *gcsql.BanInfo, board string) bool {
return banInfo.IsBanned(board)
},
"isOP": func(post gcsql.Post) bool {
return post.ParentID == 0
},
// "bannedForever": func(banInfo *gcsql.BanInfo) bool {
// return banInfo.BannedForever()
// },
// "isBanned": func(banInfo *gcsql.BanInfo, board string) bool {
// return banInfo.IsBanned(board)
// },
// "isOP": func(post gcsql.Post) bool {
// return post.ParentID == 0
// },
"getCatalogThumbnail": func(img string) string {
return gcutil.GetThumbnailPath("catalog", img)
},
"getThreadID": func(postInterface interface{}) (thread int) {
post, ok := postInterface.(gcsql.Post)
if !ok {
thread = 0
} else if post.ParentID == 0 {
thread = post.ID
} else {
thread = post.ParentID
}
return
},
"getPostURL": func(postInterface interface{}, typeOf string, withDomain bool) (postURL string) {
systemCritical := config.GetSystemCriticalConfig()
if withDomain {
postURL = systemCritical.SiteDomain
}
postURL += systemCritical.WebRoot
// "getThreadID": func(postInterface interface{}) (thread int) {
// post, ok := postInterface.(gcsql.Post)
// if !ok {
// thread = 0
// } else if post.ParentID == 0 {
// thread = post.ID
// } else {
// thread = post.ParentID
// }
// return
// },
// "getPostURL": func(postInterface interface{}, typeOf string, withDomain bool) (postURL string) {
// systemCritical := config.GetSystemCriticalConfig()
// if withDomain {
// postURL = systemCritical.SiteDomain
// }
// postURL += systemCritical.WebRoot
if typeOf == "recent" {
post, ok := postInterface.(gcsql.RecentPost)
if !ok {
return
}
postURL = post.GetURL(withDomain)
} else {
post, ok := postInterface.(*gcsql.Post)
if !ok {
return
}
postURL = post.GetURL(withDomain)
}
return
},
// if typeOf == "recent" {
// post, ok := postInterface.(gcsql.RecentPost)
// if !ok {
// return
// }
// postURL = post.GetURL(withDomain)
// } else {
// post, ok := postInterface.(*gcsql.Post)
// if !ok {
// return
// }
// postURL = post.GetURL(withDomain)
// }
// return
// },
"getThreadThumbnail": func(img string) string {
return gcutil.GetThumbnailPath("thread", img)
},

63
pkg/gcutil/util.go
View file

@ -109,12 +109,6 @@ func GetFileParts(filename string) (string, string, string) {
return base, noExt, ext
}
// GetFileExtension returns the given file's extension, or a blank string if it has none
func GetFileExtension(filename string) string {
_, _, ext := GetFileParts(filename)
return ext
}
// GetFormattedFilesize returns a human readable filesize
func GetFormattedFilesize(size float64) string {
if size < 1000 {
@ -144,19 +138,41 @@ func GetRealIP(request *http.Request) string {
return remoteHost
}
// GetThumbnailExt returns the extension to be used when creating a thumbnail of img. For non-image files,
// it just returns the extension, in which case a generic icon will be (eventually) used
func GetThumbnailExt(filename string) string {
ext := filepath.Ext(strings.ToLower(filename))
switch ext {
case ".gif":
fallthrough
case ".png":
fallthrough
case ".webm":
fallthrough
case ".webp":
return "png"
case ".jpg":
fallthrough
case ".jpeg":
fallthrough
case "mp4":
return "jpg"
default:
// invalid file format
return ""
}
}
// GetThumbnailPath returns the thumbnail path of the given filename
func GetThumbnailPath(thumbType string, img string) string {
filetype := strings.ToLower(img[strings.LastIndex(img, ".")+1:])
if filetype == "gif" || filetype == "webm" || filetype == "mp4" {
filetype = "jpg"
}
ext := GetThumbnailExt(img)
index := strings.LastIndex(img, ".")
if index < 0 || index > len(img) {
return ""
}
thumbSuffix := "t." + filetype
thumbSuffix := "t." + ext
if thumbType == "catalog" {
thumbSuffix = "c." + filetype
thumbSuffix = "c." + ext
}
return img[0:index] + thumbSuffix
}
@ -273,26 +289,3 @@ func StripHTML(htmlIn string) string {
}
return ""
}
func ThumbnailExtension(filename string) string {
ext := filepath.Ext(strings.ToLower(filename))
switch ext {
case ".gif":
fallthrough
case ".png":
fallthrough
case ".webm":
fallthrough
case ".webp":
return "png"
case ".jpg":
fallthrough
case ".jpeg":
fallthrough
case "mp4":
return "jpg"
default:
// invalid file format
return ""
}
}

236
pkg/manage/actions.go
View file

@ -5,15 +5,12 @@ import (
"database/sql"
"errors"
"fmt"
"html"
"net"
"net/http"
"os"
"path"
"regexp"
"strconv"
"strings"
"time"
"github.com/gochan-org/gochan/pkg/building"
"github.com/gochan-org/gochan/pkg/config"
@ -117,15 +114,14 @@ var actions = []Action{
}
return "You are not logged in", err
}
numSessions, err := staff.CleanSessions()
if err != nil && err != sql.ErrNoRows {
if err = staff.ClearSessions(); err != nil && err != sql.ErrNoRows {
// something went wrong when trying to clean out sessions for this user
return nil, err
}
serverutil.DeleteCookie(writer, request, "sessiondata")
gcutil.LogInfo().
gcutil.LogAccess(request).
Str("clearSessions", staff.Username).
Int64("cleared", numSessions)
Send()
if !wantsJSON {
http.Redirect(writer, request,
config.GetSystemCriticalConfig().WebRoot+"manage",
@ -197,7 +193,7 @@ var actions = []Action{
}
return manageRecentsBuffer.String(), nil
}},
{
/* {
ID: "filebans",
Title: "File bans",
Permissions: ModPerms,
@ -334,7 +330,7 @@ var actions = []Action{
}
return manageBansBuffer.String(), nil
},
},
}, */
{
ID: "ipbans",
Title: "IP Bans",
@ -344,67 +340,84 @@ var actions = []Action{
return "", gcutil.ErrNotImplemented
},
},
{
ID: "bans",
Title: "Bans",
Permissions: ModPerms,
Callback: func(writer http.ResponseWriter, request *http.Request, staff *gcsql.Staff, wantsJSON bool) (output interface{}, err error) { //TODO whatever this does idk man
var outputStr string
var post gcsql.Post
errorEv := gcutil.LogError(nil).
Str("action", "bans").
Str("staff", staff.Username)
defer errorEv.Discard()
/* {
ID: "bans",
Title: "Bans",
Permissions: ModPerms,
Callback: func(writer http.ResponseWriter, request *http.Request, staff *gcsql.Staff, wantsJSON bool) (output interface{}, err error) { //TODO whatever this does idk man
var outputStr string
var post gcsql.Post
errorEv := gcutil.LogError(nil).
Str("action", "bans").
Str("staff", staff.Username)
defer errorEv.Discard()
if request.FormValue("do") == "add" {
ip := request.FormValue("ip")
name := request.FormValue("name")
nameIsRegex := (request.FormValue("nameregex") == "on")
checksum := request.FormValue("checksum")
filename := request.FormValue("filename")
durationForm := request.FormValue("duration")
permaban := (durationForm == "" || durationForm == "0" || durationForm == "forever")
duration, err := gcutil.ParseDurationString(durationForm)
if err != nil {
errorEv.Err(err).Send()
if request.FormValue("do") == "add" {
ip := request.FormValue("ip")
name := request.FormValue("name")
nameIsRegex := (request.FormValue("nameregex") == "on")
checksum := request.FormValue("checksum")
filename := request.FormValue("filename")
durationForm := request.FormValue("duration")
permaban := (durationForm == "" || durationForm == "0" || durationForm == "forever")
duration, err := gcutil.ParseDurationString(durationForm)
if err != nil {
errorEv.Err(err).Send()
return "", err
}
expires := time.Now().Add(duration)
boards := request.FormValue("boards")
reason := html.EscapeString(request.FormValue("reason"))
staffNote := html.EscapeString(request.FormValue("staffnote"))
if filename != "" {
err = gcsql.CreateFileNameBan(filename, nameIsRegex, staff.Username, staffNote, boards)
}
if err != nil {
outputStr += err.Error()
errorEv.Err(err).Send()
err = nil
}
if name != "" {
if err = gcsql.CreateUserNameBan(name, nameIsRegex, staff.Username, permaban, staffNote, boards); err != nil {
errorEv.
Str("banType", "username").
Str("user", name).Send()
return "", err
}
expires := time.Now().Add(duration)
gcutil.LogInfo().
Str("action", "bans").
Str("staff", staff.Username).
Str("banType", "username").
Str("user", name).
Bool("permaban", permaban).Send()
}
boards := request.FormValue("boards")
reason := html.EscapeString(request.FormValue("reason"))
staffNote := html.EscapeString(request.FormValue("staffnote"))
if filename != "" {
err = gcsql.CreateFileNameBan(filename, nameIsRegex, staff.Username, staffNote, boards)
}
if request.FormValue("fullban") == "on" {
err = gcsql.CreateUserBan(ip, false, staff.Username, boards, expires, permaban, staffNote, reason, true, time.Now())
if err != nil {
outputStr += err.Error()
errorEv.Err(err).Send()
err = nil
errorEv.
Str("banType", "ip").
Str("banIP", ip).
Bool("threadBan", false).
Str("bannedFromBoards", boards).Send()
return "", err
}
if name != "" {
if err = gcsql.CreateUserNameBan(name, nameIsRegex, staff.Username, permaban, staffNote, boards); err != nil {
errorEv.
Str("banType", "username").
Str("user", name).Send()
return "", err
}
gcutil.LogInfo().
Str("action", "bans").
Str("staff", staff.Username).
Str("banType", "username").
Str("user", name).
Bool("permaban", permaban).Send()
}
if request.FormValue("fullban") == "on" {
err = gcsql.CreateUserBan(ip, false, staff.Username, boards, expires, permaban, staffNote, reason, true, time.Now())
gcutil.LogInfo().
Str("staff", staff.Username).
Str("banType", "ip").
Str("banIP", ip).
Bool("threadBan", true).
Str("bannedFromBoards", boards).Send()
} else {
if request.FormValue("threadban") == "on" {
err = gcsql.CreateUserBan(ip, true, staff.Username, boards, expires, permaban, staffNote, reason, true, time.Now())
if err != nil {
errorEv.
Str("banType", "ip").
Str("banIP", ip).
Bool("threadBan", false).
Bool("threadBan", true).
Str("bannedFromBoards", boards).Send()
return "", err
}
@ -414,72 +427,55 @@ var actions = []Action{
Str("banIP", ip).
Bool("threadBan", true).
Str("bannedFromBoards", boards).Send()
} else {
if request.FormValue("threadban") == "on" {
err = gcsql.CreateUserBan(ip, true, staff.Username, boards, expires, permaban, staffNote, reason, true, time.Now())
if err != nil {
errorEv.
Str("banType", "ip").
Str("banIP", ip).
Bool("threadBan", true).
Str("bannedFromBoards", boards).Send()
return "", err
}
gcutil.LogInfo().
Str("staff", staff.Username).
Str("banType", "ip").
Str("banIP", ip).
Bool("threadBan", true).
Str("bannedFromBoards", boards).Send()
}
if request.FormValue("imageban") == "on" {
err = gcsql.CreateFileBan(checksum, staff.Username, staffNote, boards)
if err != nil {
errorEv.
Str("banType", "fileBan").
Str("checksum", checksum).Send()
return "", err
}
gcutil.LogInfo().
Str("staff", staff.Username).
}
if request.FormValue("imageban") == "on" {
err = gcsql.CreateFileBan(checksum, staff.Username, staffNote, boards)
if err != nil {
errorEv.
Str("banType", "fileBan").
Str("checksum", checksum).Send()
return "", err
}
gcutil.LogInfo().
Str("staff", staff.Username).
Str("banType", "fileBan").
Str("checksum", checksum).Send()
}
}
}
if request.FormValue("postid") != "" {
var err error
post, err = gcsql.GetSpecificPostByString(request.FormValue("postid"), true)
if err != nil {
errorEv.Err(err).Str("postid", request.FormValue("postid")).Msg("Error getting post")
err = errors.New("Error getting post: " + err.Error())
return "", err
}
}
banlist, err := gcsql.GetAllBans()
if request.FormValue("postid") != "" {
var err error
post, err = gcsql.GetSpecificPostByString(request.FormValue("postid"), true)
if err != nil {
errorEv.Err(err).Msg("Error getting ban list")
err = errors.New("Error getting ban list: " + err.Error())
errorEv.Err(err).Str("postid", request.FormValue("postid")).Msg("Error getting post")
err = errors.New("Error getting post: " + err.Error())
return "", err
}
manageBansBuffer := bytes.NewBufferString("")
}
if err = serverutil.MinifyTemplate(gctemplates.ManageBans, map[string]interface{}{
// "systemCritical": config.GetSystemCriticalConfig(),
"banlist": banlist,
"post": post,
}, manageBansBuffer, "text/html"); err != nil {
gcutil.LogError(err).
Str("staff", staff.Username).
Str("action", "bans").
Str("template", "manage_bans.html").Send()
return "", errors.New("Error executing ban management page template: " + err.Error())
}
outputStr += manageBansBuffer.String()
return outputStr, nil
}},
banlist, err := gcsql.GetAllBans()
if err != nil {
errorEv.Err(err).Msg("Error getting ban list")
err = errors.New("Error getting ban list: " + err.Error())
return "", err
}
manageBansBuffer := bytes.NewBufferString("")
if err = serverutil.MinifyTemplate(gctemplates.ManageBans, map[string]interface{}{
// "systemCritical": config.GetSystemCriticalConfig(),
"banlist": banlist,
"post": post,
}, manageBansBuffer, "text/html"); err != nil {
gcutil.LogError(err).
Str("staff", staff.Username).
Str("action", "bans").
Str("template", "manage_bans.html").Send()
return "", errors.New("Error executing ban management page template: " + err.Error())
}
outputStr += manageBansBuffer.String()
return outputStr, nil
}}, */
{
ID: "ipsearch",
Title: "IP Search",
@ -573,6 +569,7 @@ var actions = []Action{
if err != nil {
return nil, err
}
defer rows.Close()
reports := make([]map[string]interface{}, 0)
for rows.Next() {
var id int
@ -1063,6 +1060,7 @@ var actions = []Action{
Permissions: AdminPerms,
Callback: func(writer http.ResponseWriter, request *http.Request, staff *gcsql.Staff, wantsJSON bool) (output interface{}, err error) {
var outputStr string
messages, err := gcsql.GetAllNondeletedMessageRaw()
if err != nil {
return "", err
@ -1192,7 +1190,7 @@ var actions = []Action{
request.FormValue("find"),
request.FormValue("replace"),
request.FormValue("isregex") == "on",
strings.Split(request.FormValue("boarddirs"), ","),
request.FormValue("boarddirs"),
staff.ID,
request.FormValue("staffnote"))
}
@ -1200,11 +1198,11 @@ var actions = []Action{
return err, err
}
wordfilters, err := gcsql.GetWordFilters()
wordfilters, err := gcsql.GetWordfilters()
if err != nil {
return wordfilters, nil
}
var editFilter *gcsql.WordFilter
var editFilter *gcsql.Wordfilter
if editIDstr != "" {
editID := gcutil.HackyStringToInt(editIDstr)
for _, filter := range wordfilters {

179
pkg/posting/bans.go
View file

@ -1,11 +1,6 @@
package posting
import (
"crypto/md5"
"database/sql"
"fmt"
"html"
"io"
"net/http"
"github.com/gochan-org/gochan/pkg/config"
@ -15,82 +10,114 @@ import (
"github.com/gochan-org/gochan/pkg/serverutil"
)
const (
_ = iota
ThreadBan
ImageBan
FullBan
)
// BanHandler is used for serving ban pages
func BanHandler(writer http.ResponseWriter, request *http.Request) {
appealMsg := request.FormValue("appealmsg")
// banStatus, err := getBannedStatus(request) // TODO refactor to use ipban
var banStatus gcsql.BanInfo
var err error
systemCritical := config.GetSystemCriticalConfig()
siteConfig := config.GetSiteConfig()
boardConfig := config.GetBoardConfig("")
if appealMsg != "" {
if banStatus.BannedForever() {
fmt.Fprint(writer, "No.")
return
}
escapedMsg := html.EscapeString(appealMsg)
if err = gcsql.AddBanAppeal(banStatus.ID, escapedMsg); err != nil {
serverutil.ServeErrorPage(writer, err.Error())
}
fmt.Fprint(writer,
"Appeal sent. It will (hopefully) be read by a staff member. check "+systemCritical.WebRoot+"banned occasionally for a response",
)
return
}
if err != nil && err != sql.ErrNoRows {
gcutil.LogError(err).Msg("Failed getting banned status")
serverutil.ServeErrorPage(writer, "Error getting banned status: "+err.Error())
return
}
if err = serverutil.MinifyTemplate(gctemplates.Banpage, map[string]interface{}{
"systemCritical": systemCritical,
"siteConfig": siteConfig,
"boardConfig": boardConfig,
"ban": banStatus,
"banBoards": banStatus.Boards,
"post": gcsql.Post{},
}, writer, "text/html"); err != nil {
func showBanpage(ban gcsql.Ban, banType string, filename string, post *gcsql.Post, postBoard *gcsql.Board, writer http.ResponseWriter, request *http.Request) {
// TODO: possibly split file/username/filename bans into separate page template
err := serverutil.MinifyTemplate(gctemplates.Banpage, map[string]interface{}{
"systemCritical": config.GetSystemCriticalConfig(),
"siteConfig": config.GetSiteConfig(),
"boardConfig": config.GetBoardConfig(postBoard.Dir),
"ban": ban,
"board": postBoard,
}, writer, "text/html")
if err != nil {
gcutil.LogError(err).
Str("template", "banpage").
Msg("Failed minifying template")
serverutil.ServeErrorPage(writer, "Error minifying page template: "+err.Error())
Str("IP", post.IP).
Str("building", "minifier").
Str("banType", banType).
Str("template", "banpage.html").Send()
serverutil.ServeErrorPage(writer, "Error minifying page: "+err.Error())
return
}
ev := gcutil.LogInfo().
Str("IP", post.IP).
Str("boardDir", postBoard.Dir).
Str("banType", banType)
switch banType {
case "ip":
ev.Msg("Rejected post from banned IP")
case "username":
ev.
Str("name", post.Name).
Str("tripcode", post.Tripcode).
Msg("Rejected post with banned name/tripcode")
case "filename":
ev.
Str("filename", filename).
Msg("Rejected post with banned filename")
}
}
// Checks check poster's name/tripcode/file checksum (from Post post) for banned status
// returns ban table if the user is banned or sql.ErrNoRows if they aren't
func getBannedStatus(request *http.Request) (*gcsql.BanInfo, error) {
formName := request.FormValue("postname")
var tripcode string
if formName != "" {
parsedName := gcutil.ParseName(formName)
tripcode += parsedName["name"]
if tc, ok := parsedName["tripcode"]; ok {
tripcode += "!" + tc
}
}
ip := gcutil.GetRealIP(request)
// func BanHandler(writer http.ResponseWriter, request *http.Request) {
// ip := gcutil.GetRealIP(request)
// ipBan, err := gcsql.CheckIPBan(ip, 0)
// if err != nil {
// gcutil.LogError(err).
// Str("IP", ip).
// Msg("Error checking IP banned status (/banned request)")
// serverutil.ServeErrorPage(writer, "Error checking banned status: "+err.Error())
// return
// }
var filename string
var checksum string
file, fileHandler, err := request.FormFile("imagefile")
if err == nil {
html.EscapeString(fileHandler.Filename)
if data, err2 := io.ReadAll(file); err2 == nil {
checksum = fmt.Sprintf("%x", md5.Sum(data))
}
file.Close()
// }
// checks the post for spam. It returns true if a ban page or an error page was served (causing MakePost() to return)
func checkIpBan(post *gcsql.Post, postBoard *gcsql.Board, writer http.ResponseWriter, request *http.Request) bool {
ipBan, err := gcsql.CheckIPBan(post.IP, postBoard.ID)
if err != nil {
gcutil.LogError(err).
Str("IP", post.IP).
Str("boardDir", postBoard.Dir).
Msg("Error getting IP banned status")
serverutil.ServeErrorPage(writer, "Error getting ban info"+err.Error())
return true
}
return gcsql.CheckBan(ip, tripcode, filename, checksum)
if ipBan == nil {
return false // ip is not banned and there were no errors, keep going
}
// IP is banned
showBanpage(ipBan, "ip", "", post, postBoard, writer, request)
return true
}
func checkUsernameBan(formName string, post *gcsql.Post, postBoard *gcsql.Board, writer http.ResponseWriter, request *http.Request) bool {
if formName == "" {
return false
}
nameBan, err := gcsql.CheckNameBan(formName, postBoard.ID)
if err != nil {
gcutil.LogError(err).
Str("IP", post.IP).
Str("name", formName).
Str("boardDir", postBoard.Dir).
Msg("Error getting name banned status")
serverutil.ServeErrorPage(writer, "Error getting name ban info")
return true
}
if nameBan == nil {
return false // name is not banned
}
showBanpage(nameBan, "username", "", post, postBoard, writer, request)
return true
}
func checkFilenameBan(filename string, post *gcsql.Post, postBoard *gcsql.Board, writer http.ResponseWriter, request *http.Request) bool {
if filename == "" {
return false
}
filenameBan, err := gcsql.CheckFilenameBan(filename, postBoard.ID)
if err != nil {
gcutil.LogError(err).
Str("IP", post.IP).
Str("filename", filename).
Str("boardDir", postBoard.Dir).
Msg("Error getting name banned status")
serverutil.ServeErrorPage(writer, "Error getting filename ban info")
return true
}
if filenameBan == nil {
return false
}
showBanpage(filenameBan, "filename", filename, post, postBoard, writer, request)
return true
}

190
pkg/posting/post.go
View file

@ -1,9 +1,8 @@
package posting
import (
"bytes"
"crypto/md5"
"database/sql"
"errors"
"fmt"
"html"
"image"
@ -13,6 +12,7 @@ import (
"os"
"os/exec"
"path"
"path/filepath"
"strconv"
"strings"
"syscall"
@ -22,7 +22,6 @@ import (
"github.com/gochan-org/gochan/pkg/building"
"github.com/gochan-org/gochan/pkg/config"
"github.com/gochan-org/gochan/pkg/gcsql"
"github.com/gochan-org/gochan/pkg/gctemplates"
"github.com/gochan-org/gochan/pkg/gcutil"
"github.com/gochan-org/gochan/pkg/serverutil"
)
@ -31,9 +30,21 @@ const (
yearInSeconds = 31536000
)
var (
ErrorPostTooLong = errors.New("post is too long")
)
func rejectPost(reasonShort string, reasonLong string, data map[string]interface{}, writer http.ResponseWriter, request *http.Request) {
gcutil.LogError(errors.New(reasonLong)).
Str("rejectedPost", reasonShort).
Str("IP", gcutil.GetRealIP(request)).
Fields(data).Send()
data["rejected"] = reasonLong
serverutil.ServeError(writer, reasonLong, serverutil.IsRequestingJSON(request), data)
}
// MakePost is called when a user accesses /post. Parse form data, then insert and build
func MakePost(writer http.ResponseWriter, request *http.Request) {
var maxMessageLength int
var post gcsql.Post
var formName string
var nameCookie string
@ -46,17 +57,33 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
http.Redirect(writer, request, systemCritical.WebRoot, http.StatusFound)
return
}
wantsJSON := serverutil.IsRequestingJSON(request)
post.IP = gcutil.GetRealIP(request)
post.ParentID, _ = strconv.Atoi(request.FormValue("threadid"))
post.BoardID, _ = strconv.Atoi(request.FormValue("boardid"))
var postBoard gcsql.Board
postBoard, err := gcsql.GetBoardFromID(post.BoardID)
var err error
threadidStr := request.FormValue("threadid")
if threadidStr != "" {
// post is a reply
if post.ThreadID, err = strconv.Atoi(threadidStr); err != nil {
rejectPost("invalidFormData", "Invalid form data (invalid threadid)", map[string]interface{}{
"threadidStr": threadidStr,
}, writer, request)
return
}
}
boardidStr := request.FormValue("boardid")
boardID, err := strconv.Atoi(boardidStr)
if err != nil {
gcutil.LogError(err).
Int("boardid", post.BoardID).
Str("IP", post.IP).
Msg("Error getting board info")
serverutil.ServeErrorPage(writer, "Error getting board info: "+err.Error())
rejectPost("invalidForm", "Invalid form data (invalid boardid)", map[string]interface{}{
"boardidStr": boardidStr,
}, writer, request)
return
}
postBoard, err := gcsql.GetBoardFromID(boardID)
if err != nil {
rejectPost("boardInfoError", "Error getting board info: "+err.Error(), map[string]interface{}{
"boardid": boardID,
}, writer, request)
return
}
@ -86,32 +113,23 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
}
post.Subject = request.FormValue("postsubject")
post.MessageText = strings.Trim(request.FormValue("postmsg"), "\r\n")
if maxMessageLength, err = gcsql.GetMaxMessageLength(post.BoardID); err != nil {
gcutil.LogError(err).
Int("boardid", post.BoardID).
Str("IP", post.IP).
Msg("Error getting board info")
serverutil.ServeErrorPage(writer, "Error getting board info: "+err.Error())
post.MessageRaw = strings.TrimSpace(request.FormValue("postmsg"))
if len(post.MessageRaw) > postBoard.MaxMessageLength {
rejectPost("messageLength", "Message is too long", map[string]interface{}{
"messageLength": len(post.MessageRaw),
"boardid": boardID,
}, writer, request)
return
}
if len(post.MessageText) > maxMessageLength {
serverutil.ServeErrorPage(writer, "Post body is too long")
if post.MessageRaw, err = ApplyWordFilters(post.MessageRaw, postBoard.Dir); err != nil {
rejectPost("wordfilterError", "Error formatting post: "+err.Error(), map[string]interface{}{
"boardDir": postBoard.Dir,
}, writer, request)
return
}
if post.MessageText, err = ApplyWordFilters(post.MessageText, postBoard.Dir); err != nil {
gcutil.LogError(err).
Str("IP", post.IP).
Str("boardDir", postBoard.Dir).
Msg("Error applying wordfilters")
serverutil.ServeErrorPage(writer, "Error formatting post: "+err.Error())
return
}
post.MessageHTML = FormatMessage(post.MessageText, postBoard.Dir)
post.Message = FormatMessage(post.MessageRaw, postBoard.Dir)
password := request.FormValue("postpassword")
if password == "" {
password = gcutil.RandomString(8)
@ -135,11 +153,11 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
MaxAge: yearInSeconds,
})
post.Timestamp = time.Now()
post.CreatedOn = time.Now()
// post.PosterAuthority = getStaffRank(request)
post.Bumped = time.Now()
post.Stickied = request.FormValue("modstickied") == "on"
post.Locked = request.FormValue("modlocked") == "on"
// bumpedTimestamp := time.Now()
// isSticky := request.FormValue("modstickied") == "on"
// isLocked := request.FormValue("modlocked") == "on"
//post has no referrer, or has a referrer from a different domain, probably a spambot
if !serverutil.ValidReferer(request) {
@ -147,12 +165,13 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
Str("spam", "badReferer").
Str("IP", post.IP).
Msg("Rejected post from possible spambot")
serverutil.ServeError(writer, "Your post looks like spam", wantsJSON, nil)
return
}
akismetResult := serverutil.CheckPostForSpam(
post.IP, request.Header.Get("User-Agent"), request.Referer(),
post.Name, post.Email, post.MessageText,
post.Name, post.Email, post.MessageRaw,
)
logEvent := gcutil.LogInfo().
Str("User-Agent", request.Header.Get("User-Agent")).
@ -160,55 +179,41 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
switch akismetResult {
case "discard":
logEvent.Str("akismet", "discard").Send()
serverutil.ServeErrorPage(writer, "Your post looks like spam.")
serverutil.ServeError(writer, "Your post looks like spam.", wantsJSON, nil)
return
case "spam":
logEvent.Str("akismet", "spam").Send()
serverutil.ServeErrorPage(writer, "Your post looks like spam.")
serverutil.ServeError(writer, "Your post looks like spam.", wantsJSON, nil)
return
default:
logEvent.Discard()
}
postDelay, _ := gcsql.SinceLastPost(post.IP)
if postDelay > -1 {
if post.ParentID == 0 && postDelay < boardConfig.NewThreadDelay {
serverutil.ServeErrorPage(writer, "Please wait before making a new thread.")
return
} else if post.ParentID > 0 && postDelay < boardConfig.ReplyDelay {
serverutil.ServeErrorPage(writer, "Please wait before making a reply.")
return
}
var delay int
var tooSoon bool
if threadidStr == "" {
// creating a new thread
delay, err = gcsql.SinceLastThread(post.IP)
tooSoon = delay < boardConfig.NewThreadDelay
} else {
delay, err = gcsql.SinceLastPost(post.IP)
tooSoon = delay < boardConfig.ReplyDelay
}
banStatus, err := getBannedStatus(request)
if err != nil && err != sql.ErrNoRows {
gcutil.LogError(err).
Str("IP", post.IP).
Fields(gcutil.ParseName(formName)).
Msg("Error getting banned status")
serverutil.ServeErrorPage(writer, "Error getting banned status: "+err.Error())
if err != nil {
rejectPost("cooldownError", "Error checking post cooldown: "+err.Error(), map[string]interface{}{
"boardDir": postBoard.Dir,
}, writer, request)
return
}
if tooSoon {
rejectPost("cooldownError", "Please wait before making a new post", map[string]interface{}{}, writer, request)
return
}
boards, _ := gcsql.GetAllBoards()
if banStatus != nil && banStatus.IsBanned(postBoard.Dir) {
var banpageBuffer bytes.Buffer
if err = serverutil.MinifyTemplate(gctemplates.Banpage, map[string]interface{}{
"systemCritical": config.GetSystemCriticalConfig(),
"siteConfig": config.GetSiteConfig(),
"boardConfig": config.GetBoardConfig(""),
"ban": banStatus,
"banBoards": boards[post.BoardID-1].Dir,
}, writer, "text/html"); err != nil {
gcutil.LogError(err).
Str("building", "minifier").Send()
serverutil.ServeErrorPage(writer, "Error minifying page: "+err.Error())
return
}
writer.Write(banpageBuffer.Bytes())
if checkIpBan(&post, postBoard, writer, request) {
return
}
if checkUsernameBan(formName, &post, postBoard, writer, request) {
return
}
@ -232,8 +237,7 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
var filePath, thumbPath, catalogThumbPath string
if err != nil || handler.Size == 0 {
// no file was uploaded
post.Filename = ""
if strings.TrimSpace(post.MessageText) == "" {
if strings.TrimSpace(post.MessageRaw) == "" {
serverutil.ServeErrorPage(writer, "Post must contain a message if no image is uploaded.")
return
}
@ -250,33 +254,21 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
return
}
defer file.Close()
post.FilenameOriginal = html.EscapeString(handler.Filename)
ext := gcutil.GetFileExtension(post.FilenameOriginal)
thumbExt := strings.ToLower(ext)
if thumbExt == "gif" || thumbExt == "webm" || thumbExt == "mp4" {
thumbExt = "jpg"
}
var upload gcsql.Upload
upload.OriginalFilename = html.EscapeString(handler.Filename)
ext := strings.ToLower(filepath.Ext(upload.OriginalFilename))
upload.Filename = getNewFilename() + ext
post.Filename = getNewFilename() + "." + ext
boardExists := gcsql.DoesBoardExistByID(
gcutil.HackyStringToInt(request.FormValue("boardid")))
if !boardExists {
serverutil.ServeErrorPage(writer, "No boards have been created yet")
return
}
var _board = gcsql.Board{}
err = _board.PopulateData(gcutil.HackyStringToInt(request.FormValue("boardid")))
if err != nil {
gcutil.LogError(err).
Str("IP", post.IP).
Str("posting", "updateBoard").Send()
serverutil.ServeErrorPage(writer, "Server error: "+err.Error())
return
}
boardDir := _board.Dir
filePath = path.Join(systemCritical.DocumentRoot, boardDir, "src", post.Filename)
thumbPath = path.Join(systemCritical.DocumentRoot, boardDir, "thumb", strings.Replace(post.Filename, "."+ext, "t."+thumbExt, -1))
catalogThumbPath = path.Join(systemCritical.DocumentRoot, boardDir, "thumb", strings.Replace(post.Filename, "."+ext, "c."+thumbExt, -1))
filePath = path.Join(systemCritical.DocumentRoot, postBoard.Dir, "src", upload.Filename)
thumbPath = path.Join(systemCritical.DocumentRoot, postBoard.Dir, "thumb", upload.ThumbnailPath("thumb"))
catalogThumbPath = path.Join(systemCritical.DocumentRoot, postBoard.Dir, "thumb", upload.ThumbnailPath("catalog"))
if err = os.WriteFile(filePath, data, 0644); err != nil {
gcutil.LogError(err).
@ -353,7 +345,7 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
}
}
thumbType := "reply"
if post.ParentID == 0 {
if post.IsTopPost {
thumbType = "op"
}
post.ThumbW, post.ThumbH = getThumbnailSize(post.ImageW, post.ImageH, boardDir, thumbType)
@ -474,7 +466,7 @@ func MakePost(writer http.ResponseWriter, request *http.Request) {
}
// rebuild the board page
building.BuildBoards(false, post.BoardID)
building.BuildBoards(false, postBoard.ID)
building.BuildFrontPage()
if emailCommand == "noko" {